Malware Analysis Report

2024-11-15 07:54

Sample ID 241110-n8gnxawjgs
Target dbdb54d5a90130e3370590c7e07b2e3146f8578305554ba3ed11aab579a3dd3f
SHA256 dbdb54d5a90130e3370590c7e07b2e3146f8578305554ba3ed11aab579a3dd3f
Tags
discovery evasion themida trojan smokeloader pub1 backdoor fabookie ffdroider spyware stealer upx danabot 4 banker redline sectoprat infostealer rat build2 23.08
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

dbdb54d5a90130e3370590c7e07b2e3146f8578305554ba3ed11aab579a3dd3f

Threat Level: Known bad

The file dbdb54d5a90130e3370590c7e07b2e3146f8578305554ba3ed11aab579a3dd3f was found to be: Known bad.

Malicious Activity Summary

discovery evasion themida trojan smokeloader pub1 backdoor fabookie ffdroider spyware stealer upx danabot 4 banker redline sectoprat infostealer rat build2 23.08

Smokeloader family

Fabookie family

Sectoprat family

SectopRAT payload

Detect Fabookie payload

Redline family

Danabot Loader Component

SectopRAT

RedLine payload

FFDroider

Ffdroider family

Danabot

SmokeLoader

RedLine

Danabot family

FFDroider payload

Fabookie

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Detected Nirsoft tools

Blocklisted process makes network request

Themida packer

Reads user/profile data of web browsers

Checks computer location settings

Executes dropped EXE

Checks BIOS information in registry

Loads dropped DLL

Checks whether UAC is enabled

Looks up external IP address via web service

Checks installed software on the system

UPX packed file

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Program crash

Enumerates physical storage devices

Unsigned PE

Checks SCSI registry key(s)

Enumerates system info in registry

Suspicious use of AdjustPrivilegeToken

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Kills process with taskkill

Script User-Agent

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Modifies data under HKEY_USERS

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 12:04

Signatures

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-11-10 12:03

Reported

2024-11-10 12:06

Platform

win10v2004-20241007-en

Max time kernel

147s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\28NEs4WOAbFCrw46bjrvW6Dx.exe"

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\28NEs4WOAbFCrw46bjrvW6Dx.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\28NEs4WOAbFCrw46bjrvW6Dx.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\28NEs4WOAbFCrw46bjrvW6Dx.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\28NEs4WOAbFCrw46bjrvW6Dx.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\28NEs4WOAbFCrw46bjrvW6Dx.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\28NEs4WOAbFCrw46bjrvW6Dx.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\28NEs4WOAbFCrw46bjrvW6Dx.exe

"C:\Users\Admin\AppData\Local\Temp\28NEs4WOAbFCrw46bjrvW6Dx.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
RU 45.129.236.6:63318 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
RU 45.129.236.6:63318 tcp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
RU 45.129.236.6:63318 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
RU 45.129.236.6:63318 tcp
RU 45.129.236.6:63318 tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
RU 45.129.236.6:63318 tcp
RU 45.129.236.6:63318 tcp
US 8.8.8.8:53 26.178.89.13.in-addr.arpa udp

Files

memory/1772-0-0x0000000000110000-0x000000000076E000-memory.dmp

memory/1772-1-0x0000000076030000-0x0000000076031000-memory.dmp

memory/1772-3-0x0000000076010000-0x0000000076100000-memory.dmp

memory/1772-2-0x0000000076010000-0x0000000076100000-memory.dmp

memory/1772-6-0x0000000076010000-0x0000000076100000-memory.dmp

memory/1772-5-0x0000000076010000-0x0000000076100000-memory.dmp

memory/1772-4-0x0000000076010000-0x0000000076100000-memory.dmp

memory/1772-9-0x0000000000110000-0x000000000076E000-memory.dmp

memory/1772-10-0x0000000005B70000-0x0000000006188000-memory.dmp

memory/1772-11-0x00000000055C0000-0x00000000055D2000-memory.dmp

memory/1772-12-0x00000000056F0000-0x00000000057FA000-memory.dmp

memory/1772-13-0x0000000005620000-0x000000000565C000-memory.dmp

memory/1772-14-0x0000000005660000-0x00000000056AC000-memory.dmp

memory/1772-15-0x0000000000110000-0x000000000076E000-memory.dmp

memory/1772-16-0x0000000076030000-0x0000000076031000-memory.dmp

memory/1772-17-0x0000000076010000-0x0000000076100000-memory.dmp

memory/1772-18-0x0000000076010000-0x0000000076100000-memory.dmp

memory/1772-19-0x0000000076010000-0x0000000076100000-memory.dmp

memory/1772-20-0x0000000076010000-0x0000000076100000-memory.dmp

memory/1772-21-0x0000000076010000-0x0000000076100000-memory.dmp

memory/1772-23-0x0000000076010000-0x0000000076100000-memory.dmp

Analysis: behavioral21

Detonation Overview

Submitted

2024-11-10 12:03

Reported

2024-11-10 12:06

Platform

win7-20240729-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7UwyHmKx00aB7vI0W6MvnkKA.exe"

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\7UwyHmKx00aB7vI0W6MvnkKA.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7UwyHmKx00aB7vI0W6MvnkKA.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\7UwyHmKx00aB7vI0W6MvnkKA.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\7UwyHmKx00aB7vI0W6MvnkKA.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7UwyHmKx00aB7vI0W6MvnkKA.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7UwyHmKx00aB7vI0W6MvnkKA.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7UwyHmKx00aB7vI0W6MvnkKA.exe

"C:\Users\Admin\AppData\Local\Temp\7UwyHmKx00aB7vI0W6MvnkKA.exe"

Network

Country Destination Domain Proto
NL 45.14.49.128:5385 tcp
NL 45.14.49.128:5385 tcp
NL 45.14.49.128:5385 tcp
NL 45.14.49.128:5385 tcp
NL 45.14.49.128:5385 tcp
NL 45.14.49.128:5385 tcp
NL 45.14.49.128:5385 tcp
NL 45.14.49.128:5385 tcp

Files

memory/2464-0-0x00000000009E0000-0x0000000001040000-memory.dmp

memory/2464-1-0x0000000076371000-0x0000000076372000-memory.dmp

memory/2464-6-0x0000000076360000-0x0000000076470000-memory.dmp

memory/2464-5-0x0000000076360000-0x0000000076470000-memory.dmp

memory/2464-4-0x0000000076360000-0x0000000076470000-memory.dmp

memory/2464-3-0x0000000076360000-0x0000000076470000-memory.dmp

memory/2464-2-0x0000000076360000-0x0000000076470000-memory.dmp

memory/2464-7-0x0000000076360000-0x0000000076470000-memory.dmp

memory/2464-8-0x0000000076360000-0x0000000076470000-memory.dmp

memory/2464-27-0x0000000076360000-0x0000000076470000-memory.dmp

memory/2464-26-0x0000000076360000-0x0000000076470000-memory.dmp

memory/2464-25-0x0000000076360000-0x0000000076470000-memory.dmp

memory/2464-24-0x0000000076360000-0x0000000076470000-memory.dmp

memory/2464-23-0x0000000076360000-0x0000000076470000-memory.dmp

memory/2464-22-0x0000000076360000-0x0000000076470000-memory.dmp

memory/2464-21-0x0000000076360000-0x0000000076470000-memory.dmp

memory/2464-20-0x0000000076360000-0x0000000076470000-memory.dmp

memory/2464-19-0x0000000076360000-0x0000000076470000-memory.dmp

memory/2464-18-0x0000000076360000-0x0000000076470000-memory.dmp

memory/2464-17-0x0000000076360000-0x0000000076470000-memory.dmp

memory/2464-16-0x0000000076360000-0x0000000076470000-memory.dmp

memory/2464-15-0x0000000076360000-0x0000000076470000-memory.dmp

memory/2464-14-0x0000000076360000-0x0000000076470000-memory.dmp

memory/2464-13-0x0000000076360000-0x0000000076470000-memory.dmp

memory/2464-28-0x00000000009E0000-0x0000000001040000-memory.dmp

memory/2464-29-0x0000000076360000-0x0000000076470000-memory.dmp

memory/2464-30-0x00000000009E0000-0x0000000001040000-memory.dmp

memory/2464-31-0x0000000076371000-0x0000000076372000-memory.dmp

memory/2464-32-0x0000000076360000-0x0000000076470000-memory.dmp

memory/2464-33-0x0000000076360000-0x0000000076470000-memory.dmp

memory/2464-34-0x0000000076360000-0x0000000076470000-memory.dmp

memory/2464-35-0x0000000076360000-0x0000000076470000-memory.dmp

memory/2464-37-0x0000000076360000-0x0000000076470000-memory.dmp

Analysis: behavioral24

Detonation Overview

Submitted

2024-11-10 12:03

Reported

2024-11-10 12:06

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\88wncypnTKvKj7Uwab0iiutt.exe"

Signatures

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 C:\Windows\system32\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags C:\Windows\system32\dwm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Windows\system32\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags C:\Windows\system32\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\system32\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags C:\Windows\system32\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags C:\Windows\system32\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID C:\Windows\system32\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\system32\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID C:\Windows\system32\dwm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 C:\Windows\system32\dwm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Windows\system32\dwm.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\system32\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\system32\dwm.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\system32\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\system32\dwm.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\Overrides C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\all\Overrides C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\ExternalFeatureOverrides\officeclicktorun C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\officeclicktorun\Overrides C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\FirstSession\officeclicktorun C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\dwm.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\dwm.exe N/A
Token: 33 N/A C:\Windows\system32\dwm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\dwm.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\dwm.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\dwm.exe N/A
Token: 33 N/A C:\Windows\system32\dwm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\dwm.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\88wncypnTKvKj7Uwab0iiutt.exe

"C:\Users\Admin\AppData\Local\Temp\88wncypnTKvKj7Uwab0iiutt.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe

"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service

Network

Country Destination Domain Proto
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 s.lletlee.com udp

Files

memory/1844-2-0x00007FF78ABE0000-0x00007FF78ABFF000-memory.dmp

Analysis: behavioral26

Detonation Overview

Submitted

2024-11-10 12:03

Reported

2024-11-10 12:06

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8Jw_RggGj5lBX2auQAnIQe71.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-SLKHJ.tmp\8Jw_RggGj5lBX2auQAnIQe71.tmp N/A

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\GameBox\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-SLKHJ.tmp\8Jw_RggGj5lBX2auQAnIQe71.tmp N/A
File created C:\Program Files (x86)\GameBox\is-33JUD.tmp C:\Users\Admin\AppData\Local\Temp\is-SLKHJ.tmp\8Jw_RggGj5lBX2auQAnIQe71.tmp N/A
File opened for modification C:\Program Files (x86)\GameBox\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-SLKHJ.tmp\8Jw_RggGj5lBX2auQAnIQe71.tmp N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8Jw_RggGj5lBX2auQAnIQe71.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-SLKHJ.tmp\8Jw_RggGj5lBX2auQAnIQe71.tmp N/A

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-SLKHJ.tmp\8Jw_RggGj5lBX2auQAnIQe71.tmp N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8Jw_RggGj5lBX2auQAnIQe71.exe

"C:\Users\Admin\AppData\Local\Temp\8Jw_RggGj5lBX2auQAnIQe71.exe"

C:\Users\Admin\AppData\Local\Temp\is-SLKHJ.tmp\8Jw_RggGj5lBX2auQAnIQe71.tmp

"C:\Users\Admin\AppData\Local\Temp\is-SLKHJ.tmp\8Jw_RggGj5lBX2auQAnIQe71.tmp" /SL5="$501E0,138429,56832,C:\Users\Admin\AppData\Local\Temp\8Jw_RggGj5lBX2auQAnIQe71.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:80 ipinfo.io tcp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 81.59.117.34.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 proxycheck.io udp
US 104.26.8.187:80 proxycheck.io tcp
US 8.8.8.8:53 7e10a716-f462-4371-a152-105d67ce51a8.s3.ap-south-1.amazonaws.com udp
IN 52.219.66.123:80 7e10a716-f462-4371-a152-105d67ce51a8.s3.ap-south-1.amazonaws.com tcp
IN 52.219.66.123:80 7e10a716-f462-4371-a152-105d67ce51a8.s3.ap-south-1.amazonaws.com tcp
US 8.8.8.8:53 187.8.26.104.in-addr.arpa udp
US 8.8.8.8:53 123.66.219.52.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 101.208.201.84.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp

Files

memory/2996-0-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2996-2-0x0000000000401000-0x000000000040B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-SLKHJ.tmp\8Jw_RggGj5lBX2auQAnIQe71.tmp

MD5 ffcf263a020aa7794015af0edee5df0b
SHA1 bce1eb5f0efb2c83f416b1782ea07c776666fdab
SHA256 1d07cfb7104b85fc0dffd761f6848ad176117e146bbb4079fe993efa06b94c64
SHA512 49f2b062adfb99c0c7f1012c56f0b52a8850d9f030cc32073b90025b372e4eb373f06a351e9b33264967427b8174c060c8a6110979f0eaf0872f7da6d5e4308a

memory/2892-6-0x0000000000400000-0x00000000004BD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-9CGSP.tmp\itdownload.dll

MD5 d82a429efd885ca0f324dd92afb6b7b8
SHA1 86bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea
SHA256 b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3
SHA512 5bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df

memory/2892-15-0x0000000003940000-0x000000000397C000-memory.dmp

memory/2892-17-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/2892-18-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/2892-19-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/2892-20-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/2892-21-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/2996-22-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2892-24-0x0000000003940000-0x000000000397C000-memory.dmp

memory/2892-33-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/2892-38-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/2996-39-0x0000000000400000-0x0000000000414000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-11-10 12:03

Reported

2024-11-10 12:06

Platform

win7-20241010-en

Max time kernel

120s

Max time network

129s

Command Line

"C:\Users\Admin\AppData\Local\Temp\21oenuW1qnqk7qUsHH7Z2We5.exe"

Signatures

SmokeLoader

trojan backdoor smokeloader

Smokeloader family

smokeloader

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\21oenuW1qnqk7qUsHH7Z2We5.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\21oenuW1qnqk7qUsHH7Z2We5.exe

"C:\Users\Admin\AppData\Local\Temp\21oenuW1qnqk7qUsHH7Z2We5.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2240 -s 136

Network

N/A

Files

memory/2240-1-0x0000000002580000-0x0000000002680000-memory.dmp

memory/2240-2-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2240-3-0x0000000000400000-0x00000000023AE000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2024-11-10 12:03

Reported

2024-11-10 12:06

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\25jZMPTiQqNIVH0Cs2hi6z9r.exe"

Signatures

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A

FFDroider

stealer ffdroider

Fabookie

spyware stealer fabookie

Fabookie family

fabookie

Ffdroider family

ffdroider

Detected Nirsoft tools

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\25jZMPTiQqNIVH0Cs2hi6z9r.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Company\NewProduct\d.INTEG.RAW C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe N/A
File opened for modification C:\Program Files (x86)\Company\NewProduct\d C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe N/A
File created C:\Program Files (x86)\Company\NewProduct\d.jfm C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe N/A
File created C:\Program Files (x86)\Company\NewProduct\Uninstall.ini C:\Users\Admin\AppData\Local\Temp\25jZMPTiQqNIVH0Cs2hi6z9r.exe N/A
File opened for modification C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe C:\Users\Admin\AppData\Local\Temp\25jZMPTiQqNIVH0Cs2hi6z9r.exe N/A
File opened for modification C:\Program Files (x86)\Company\NewProduct\jooyu.exe C:\Users\Admin\AppData\Local\Temp\25jZMPTiQqNIVH0Cs2hi6z9r.exe N/A
File opened for modification C:\Program Files (x86)\Company\NewProduct\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\25jZMPTiQqNIVH0Cs2hi6z9r.exe N/A
File created C:\Program Files (x86)\Company\NewProduct\d C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe N/A
File created C:\Program Files (x86)\Company\NewProduct\tmp.edb C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe N/A
File opened for modification C:\Program Files (x86)\Company\NewProduct\d.jfm C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe N/A
File opened for modification C:\Program Files (x86)\Company\NewProduct\customer3.exe C:\Users\Admin\AppData\Local\Temp\25jZMPTiQqNIVH0Cs2hi6z9r.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Company\NewProduct\jooyu.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\25jZMPTiQqNIVH0Cs2hi6z9r.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeManageVolumePrivilege N/A C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe N/A
Token: SeManageVolumePrivilege N/A C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2000 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\25jZMPTiQqNIVH0Cs2hi6z9r.exe C:\Program Files (x86)\Company\NewProduct\customer3.exe
PID 2000 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\25jZMPTiQqNIVH0Cs2hi6z9r.exe C:\Program Files (x86)\Company\NewProduct\customer3.exe
PID 2000 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\25jZMPTiQqNIVH0Cs2hi6z9r.exe C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
PID 2000 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\25jZMPTiQqNIVH0Cs2hi6z9r.exe C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
PID 2000 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\25jZMPTiQqNIVH0Cs2hi6z9r.exe C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
PID 2000 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\25jZMPTiQqNIVH0Cs2hi6z9r.exe C:\Program Files (x86)\Company\NewProduct\jooyu.exe
PID 2000 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\25jZMPTiQqNIVH0Cs2hi6z9r.exe C:\Program Files (x86)\Company\NewProduct\jooyu.exe
PID 2000 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\25jZMPTiQqNIVH0Cs2hi6z9r.exe C:\Program Files (x86)\Company\NewProduct\jooyu.exe
PID 2260 wrote to memory of 3108 N/A C:\Program Files (x86)\Company\NewProduct\jooyu.exe C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
PID 2260 wrote to memory of 3108 N/A C:\Program Files (x86)\Company\NewProduct\jooyu.exe C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
PID 2260 wrote to memory of 3108 N/A C:\Program Files (x86)\Company\NewProduct\jooyu.exe C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
PID 2260 wrote to memory of 1828 N/A C:\Program Files (x86)\Company\NewProduct\jooyu.exe C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
PID 2260 wrote to memory of 1828 N/A C:\Program Files (x86)\Company\NewProduct\jooyu.exe C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
PID 2260 wrote to memory of 1828 N/A C:\Program Files (x86)\Company\NewProduct\jooyu.exe C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\25jZMPTiQqNIVH0Cs2hi6z9r.exe

"C:\Users\Admin\AppData\Local\Temp\25jZMPTiQqNIVH0Cs2hi6z9r.exe"

C:\Program Files (x86)\Company\NewProduct\customer3.exe

"C:\Program Files (x86)\Company\NewProduct\customer3.exe"

C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe

"C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"

C:\Program Files (x86)\Company\NewProduct\jooyu.exe

"C:\Program Files (x86)\Company\NewProduct\jooyu.exe"

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 152.32.151.93:80 tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 www.facebook.com udp
GB 163.70.151.35:443 www.facebook.com tcp
US 8.8.8.8:53 35.151.70.163.in-addr.arpa udp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 uyg5wye.2ihsfa.com udp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 8.8.8.8:53 s.lletlee.com udp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 8.8.8.8:53 s.lletlee.com udp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 8.8.8.8:53 s.lletlee.com udp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 8.8.8.8:53 s.lletlee.com udp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 8.8.8.8:53 s.lletlee.com udp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 8.8.8.8:53 s.lletlee.com udp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp

Files

C:\Program Files (x86)\Company\NewProduct\customer3.exe

MD5 1daac0c9a48a79976539b0722f9c3d3b
SHA1 843218f70a6a7fd676121e447b5b74acb0d87100
SHA256 e496ce805aa5b3ed8e1898803a536c683d031c5a61b2a54e5c89e02c4febecdf
SHA512 2259e6e27e6ca6155b50bc0dfd8c3f9f1a31db53c8b4d1811e94e927e30aba2ded4c92a34dfee042d96bd5fd7cbfdbb73d168cc8d66f9b3a37df40980d6dfebc

C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe

MD5 ce11de1000560d312bf6ab0b5327e87b
SHA1 557f3f780cb0f694887ada330a87ba976cdb168f
SHA256 126daa976d1eaec1bd68eb53748caa325fc537f865051dd0d5f09d599175861a
SHA512 655b45bcf75a79c174caf6fae84560980511d068f67a89883f70b264e88983f729c604b3484fdcb8d8f8a83105e43d740fe70e7a006806136bc423453d769655

C:\Program Files (x86)\Company\NewProduct\jooyu.exe

MD5 aed57d50123897b0012c35ef5dec4184
SHA1 568571b12ca44a585df589dc810bf53adf5e8050
SHA256 096021eb5950ee16b7ec51756abe05f90c3530206e16286e7610b8a5a544a85e
SHA512 ea0ee3a0762baa3539e8026a8c624ad897efe005faadcf1ff67ebfc555f29b912b24ad4342d5e0c209f36f5288867246bd1bdfed7df739e608a72fa7b4fa2d7c

memory/2364-43-0x00000000001C0000-0x00000000001C3000-memory.dmp

memory/2364-42-0x0000000000400000-0x0000000000644000-memory.dmp

memory/2000-48-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

MD5 7fee8223d6e4f82d6cd115a28f0b6d58
SHA1 1b89c25f25253df23426bd9ff6c9208f1202f58b
SHA256 a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59
SHA512 3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

memory/3108-54-0x0000000000400000-0x000000000045B000-memory.dmp

memory/3108-57-0x0000000000400000-0x000000000045B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

MD5 b7161c0845a64ff6d7345b67ff97f3b0
SHA1 d223f855da541fe8e4c1d5c50cb26da0a1deb5fc
SHA256 fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66
SHA512 98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

memory/2364-60-0x0000000003800000-0x0000000003810000-memory.dmp

memory/2364-66-0x0000000003960000-0x0000000003970000-memory.dmp

memory/2364-73-0x0000000004400000-0x0000000004408000-memory.dmp

memory/2364-74-0x0000000004420000-0x0000000004428000-memory.dmp

memory/2364-76-0x00000000044C0000-0x00000000044C8000-memory.dmp

memory/2364-79-0x0000000004610000-0x0000000004618000-memory.dmp

memory/2364-80-0x00000000048B0000-0x00000000048B8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

MD5 a6279ec92ff948760ce53bba817d6a77
SHA1 5345505e12f9e4c6d569a226d50e71b5a572dce2
SHA256 8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181
SHA512 213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

memory/1828-84-0x0000000000400000-0x0000000000422000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ecvA095.tmp

MD5 6f6f7f15ea023dce8934c16b90fc095b
SHA1 39673c16cd036ae37639c665e5ad08ac4a345c00
SHA256 95fe750a641227db786024d9147efc435408d4c39fc4a19dd3b65de7a5d90e9e
SHA512 d2cd130f4067b3d9ad6e6eca03934905eb4e63efe6fb47de2b3e49428dddd8f070ee700175c0d6fa1032b3dc8888f6f4cb8ecc2c6e216fe6da7d8e018693aa0a

memory/1828-91-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2364-92-0x0000000004B50000-0x0000000004B58000-memory.dmp

memory/2364-93-0x0000000004A50000-0x0000000004A58000-memory.dmp

memory/2364-94-0x00000000048C0000-0x00000000048C8000-memory.dmp

C:\Program Files (x86)\Company\NewProduct\d.jfm

MD5 1c21259b1a8b550261c18c52925a7d18
SHA1 15188460c7b5d2051dfac7ac195cb24be8f35360
SHA256 7dcba99d247bff8f977eb97c6309544ced469cb8603e74cf6458cd92c4a768aa
SHA512 eadbcc9a18153dc0ffa3473be30fdfa9daca26633b733b4288f672bca3bdcb0285abed72ea26a2246230448b04c0d9bcbbd994aaada6077a60b1ac2e683dc8ba

memory/2364-107-0x0000000004420000-0x0000000004428000-memory.dmp

memory/2364-115-0x00000000048C0000-0x00000000048C8000-memory.dmp

memory/2364-130-0x0000000004420000-0x0000000004428000-memory.dmp

C:\Program Files (x86)\Company\NewProduct\d.jfm

MD5 26101534cdddf3008f3390973ea879ac
SHA1 9cc9f5dd3dcd7eacce8808cbc60df2ae56bf76aa
SHA256 e5ee9fba2b0746a4b2729ae33319d7bfbf92175a3d9f5ff803c5d3969944986f
SHA512 3a38c93bb3a688e7ea48734223cd47a0f065f0549971de770a918bf5f210941f4d5e0a46b61e572c2602e1e1575ba7680eea0673c4477c359875ed719ebc12d2

C:\Program Files (x86)\Company\NewProduct\d.jfm

MD5 785337cf01af6351f8fcb17076f9ed9b
SHA1 e3bb5ae6d04a35ddd9b353981f4b9d049af8e920
SHA256 7f17342feb6c82ba2a71e1b7f4e67545082dc27125fb188877ef68fe852b1191
SHA512 b5f08dbc52b83adde97383ac70daf82d6f850d7b5f2ea3ce1d085b45ea10d7026294831371cdfda1d0701b429aa12c2f4289017481bd1c9160525f44b98291e0

memory/2364-138-0x00000000049F0000-0x00000000049F8000-memory.dmp

C:\Program Files (x86)\Company\NewProduct\d.jfm

MD5 dc6296782a09857b171cf45e0facb447
SHA1 902414f6e63db91960c6cb3b9e0ff0f5275a6bf8
SHA256 968c1a3d35aa81d978f716bb7dd86317690e79850017f5ee438234fead365d85
SHA512 2d1d7b0d04a5e3517893d57816f383e59b158d71958c661d295d34cd622c27f65d6d35e1d7715501efadc2432dbc7cfbc95ef94d9cdfd9d52bac9ebf36afb1e7

memory/2364-117-0x00000000049F0000-0x00000000049F8000-memory.dmp

memory/2364-140-0x00000000048C0000-0x00000000048C8000-memory.dmp

C:\Program Files (x86)\Company\NewProduct\d.jfm

MD5 1cda14d0c8d176de2c10d23f5ba3ee1d
SHA1 9b89d50609c722141ac8b5cf31fd01cd2e7f9276
SHA256 9fa84362ba29f46f790394cdba89f5fe63061dc1704d890d4f344851596278ac
SHA512 6a4db90229bfbef1a52656ac482bb2b674eafa8440683ee911b8a0c03b5bc3c735431ad54cf385152e91d2341a0ac080884e64fd502c8fae70a08da1ced3a2f1

memory/2364-179-0x00000000042E0000-0x00000000042E8000-memory.dmp

memory/2364-180-0x0000000004300000-0x0000000004308000-memory.dmp

memory/2364-188-0x00000000043A0000-0x00000000043A8000-memory.dmp

memory/2364-192-0x0000000004520000-0x0000000004528000-memory.dmp

memory/2364-191-0x00000000043A0000-0x00000000043A8000-memory.dmp

memory/2364-193-0x00000000045D0000-0x00000000045D8000-memory.dmp

memory/2364-194-0x00000000045E0000-0x00000000045E8000-memory.dmp

memory/2364-195-0x0000000004540000-0x0000000004548000-memory.dmp

C:\Program Files (x86)\Company\NewProduct\d.jfm

MD5 bdda0fe64070a231b1081e515f47fb7a
SHA1 d1c86c08342c74e5517d2e0101ae9b04b6718ca9
SHA256 2bb9d9cbae130757a38b0c915604a9b2f4af0dd2f78c28808d980c500599c756
SHA512 ff752a6164d24eabd630e4456913cba5afa674428f5ec2baa583b4d1294ae89ab8ffd87504bf8ae76370abc8e028e1ed60d2434f1ad94222a7b134bbf72466c7

memory/2364-208-0x0000000004300000-0x0000000004308000-memory.dmp

memory/2364-216-0x0000000004540000-0x0000000004548000-memory.dmp

memory/2364-218-0x0000000004570000-0x0000000004578000-memory.dmp

C:\Program Files (x86)\Company\NewProduct\d.jfm

MD5 49f452f681613a72c675dda9a652ab71
SHA1 57379c2da4ae66c4dfc34160b2b8fcc42c09b4a6
SHA256 edd9721c7ecbd9289497a2693f4a73b951fd616569ca38dd0ab84a3c01f79edd
SHA512 b651cd7e762ada1598daee0f603968402467f2633abc81f0111b0c1a973951e8c072b3183f1da5b5b4677715fb10b814782a802938b4c3cc2b0acde02e326ee1

C:\Program Files (x86)\Company\NewProduct\d.jfm

MD5 0a5de274563df3dab4897409e1f2563e
SHA1 bf063cb26265985734d0727dcbd6737c7887b178
SHA256 8085aa2dc1ff41c2dcc65e33d073778b31e8505a7a8c808af44257bdde386282
SHA512 f0923bf7e40671187c77732e8e58cdedede6a63476d0e742ce7cc8657a605fa5ffc7e5c8236a5aa1db6537271d8f46ee0810d222168a86bd591f56c4ad700414

C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

MD5 c878d8c696efd352808a14e9343fd776
SHA1 8054f081d6fde78d80e637a73b763b95166d6426
SHA256 f27db90a59f03fc7c71f73766102b48e54fd04b4d6011a75931f159ec583a2b4
SHA512 4e60ccfe5b7e05a19f373a86a02c850faf5c758b0a8b013ccb49a6f8fbc29b5fdb4fa61c020fb5610ee32dbe31e51f3cedf8139a3005b574022eb0e19de5cb9e

Analysis: behavioral19

Detonation Overview

Submitted

2024-11-10 12:03

Reported

2024-11-10 12:06

Platform

win7-20241010-en

Max time kernel

122s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6RVcR1WSznUXUS8RtLypZMfp.exe"

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6RVcR1WSznUXUS8RtLypZMfp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6RVcR1WSznUXUS8RtLypZMfp.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6RVcR1WSznUXUS8RtLypZMfp.exe

"C:\Users\Admin\AppData\Local\Temp\6RVcR1WSznUXUS8RtLypZMfp.exe"

C:\Users\Admin\AppData\Local\Temp\6RVcR1WSznUXUS8RtLypZMfp.exe

"C:\Users\Admin\AppData\Local\Temp\6RVcR1WSznUXUS8RtLypZMfp.exe" -q

Network

N/A

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2024-11-10 12:03

Reported

2024-11-10 12:06

Platform

win7-20240903-en

Max time kernel

117s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8Jw_RggGj5lBX2auQAnIQe71.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-GVD5J.tmp\8Jw_RggGj5lBX2auQAnIQe71.tmp N/A

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\GameBox\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-GVD5J.tmp\8Jw_RggGj5lBX2auQAnIQe71.tmp N/A
File created C:\Program Files (x86)\GameBox\is-EBHDO.tmp C:\Users\Admin\AppData\Local\Temp\is-GVD5J.tmp\8Jw_RggGj5lBX2auQAnIQe71.tmp N/A
File opened for modification C:\Program Files (x86)\GameBox\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-GVD5J.tmp\8Jw_RggGj5lBX2auQAnIQe71.tmp N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8Jw_RggGj5lBX2auQAnIQe71.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-GVD5J.tmp\8Jw_RggGj5lBX2auQAnIQe71.tmp N/A

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-GVD5J.tmp\8Jw_RggGj5lBX2auQAnIQe71.tmp N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8Jw_RggGj5lBX2auQAnIQe71.exe

"C:\Users\Admin\AppData\Local\Temp\8Jw_RggGj5lBX2auQAnIQe71.exe"

C:\Users\Admin\AppData\Local\Temp\is-GVD5J.tmp\8Jw_RggGj5lBX2auQAnIQe71.tmp

"C:\Users\Admin\AppData\Local\Temp\is-GVD5J.tmp\8Jw_RggGj5lBX2auQAnIQe71.tmp" /SL5="$30144,138429,56832,C:\Users\Admin\AppData\Local\Temp\8Jw_RggGj5lBX2auQAnIQe71.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:80 ipinfo.io tcp
US 34.117.59.81:443 ipinfo.io tcp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 proxycheck.io udp
US 104.26.8.187:80 proxycheck.io tcp
US 8.8.8.8:53 7e10a716-f462-4371-a152-105d67ce51a8.s3.ap-south-1.amazonaws.com udp
IN 3.5.212.101:80 7e10a716-f462-4371-a152-105d67ce51a8.s3.ap-south-1.amazonaws.com tcp
IN 3.5.212.101:80 7e10a716-f462-4371-a152-105d67ce51a8.s3.ap-south-1.amazonaws.com tcp

Files

memory/2668-0-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2668-3-0x0000000000401000-0x000000000040B000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-GVD5J.tmp\8Jw_RggGj5lBX2auQAnIQe71.tmp

MD5 ffcf263a020aa7794015af0edee5df0b
SHA1 bce1eb5f0efb2c83f416b1782ea07c776666fdab
SHA256 1d07cfb7104b85fc0dffd761f6848ad176117e146bbb4079fe993efa06b94c64
SHA512 49f2b062adfb99c0c7f1012c56f0b52a8850d9f030cc32073b90025b372e4eb373f06a351e9b33264967427b8174c060c8a6110979f0eaf0872f7da6d5e4308a

\Users\Admin\AppData\Local\Temp\is-OD3NF.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

memory/2716-8-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/2716-17-0x0000000001ED0000-0x0000000001F0C000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-OD3NF.tmp\itdownload.dll

MD5 d82a429efd885ca0f324dd92afb6b7b8
SHA1 86bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea
SHA256 b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3
SHA512 5bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df

memory/2716-19-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/2716-20-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/2716-22-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/2716-21-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/2716-23-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/2668-24-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2716-26-0x0000000001ED0000-0x0000000001F0C000-memory.dmp

\Program Files (x86)\GameBox\unins000.exe

MD5 f0477b622428f93864bfee68dd054e6d
SHA1 28bef7759909021f7126b41299d0c310746603de
SHA256 fbe9abe3885a928bb762ff4be6e00e55395056ab6d66a8ea0d2fc6a43bdbd75e
SHA512 7bc1a0b94893cce3cf08b02b224440ce08b716165184816804d979d0c71bd0f8bbd3e5dc645dc7d20356e0f995bff39a2b1e13a4c3b140f9bfafb48965f55afe

memory/2716-36-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/2716-41-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/2668-42-0x0000000000400000-0x0000000000414000-memory.dmp

Analysis: behavioral15

Detonation Overview

Submitted

2024-11-10 12:03

Reported

2024-11-10 12:06

Platform

win7-20240903-en

Max time kernel

146s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6IvhC9RrHtvRf0BCVttVUFQm.exe"

Signatures

Danabot

trojan banker danabot

Danabot Loader Component

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Danabot family

danabot

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6IvhC9RrHtvRf0BCVttVUFQm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6IvhC9RrHtvRf0BCVttVUFQm.exe

"C:\Users\Admin\AppData\Local\Temp\6IvhC9RrHtvRf0BCVttVUFQm.exe"

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\6IVHC9~1.DLL,s C:\Users\Admin\AppData\Local\Temp\6IVHC9~1.EXE

Network

Country Destination Domain Proto
US 23.229.29.48:443 tcp

Files

memory/2412-0-0x0000000003DF0000-0x0000000003EDF000-memory.dmp

memory/2412-1-0x0000000003DF0000-0x0000000003EDF000-memory.dmp

memory/2412-2-0x0000000003EE0000-0x0000000003FE6000-memory.dmp

memory/2412-3-0x0000000000400000-0x0000000000512000-memory.dmp

memory/2412-6-0x0000000003DF0000-0x0000000003EDF000-memory.dmp

memory/2412-7-0x0000000003EE0000-0x0000000003FE6000-memory.dmp

memory/2412-9-0x0000000000400000-0x0000000000512000-memory.dmp

memory/2412-8-0x0000000000400000-0x000000000248D000-memory.dmp

\Users\Admin\AppData\Local\Temp\6IVHC9~1.DLL

MD5 da3e02b683f8e2eff4222ec8f34d6631
SHA1 a13526c6728ee09dd23cef010eb23933a9b431a9
SHA256 391b4d8485e0ec484015b11fb1ed3bda01b605af3783cd843500b8f36b550931
SHA512 eb26175882c19d51e0603952d0d9f992fb2bf639c8cfbddb3ac4ca2ddfc5149ca0d9d96cd63b4a344c2a160d2fc7ebac94358ec75f03f717e6d4bcf92442e8c5

memory/2760-20-0x00000000008F0000-0x0000000000A51000-memory.dmp

memory/2412-21-0x0000000000400000-0x000000000248D000-memory.dmp

memory/2760-22-0x00000000008F0000-0x0000000000A51000-memory.dmp

memory/2412-35-0x0000000000400000-0x0000000000512000-memory.dmp

memory/2412-34-0x0000000000400000-0x000000000248D000-memory.dmp

memory/2760-38-0x00000000008F0000-0x0000000000A51000-memory.dmp

memory/2760-39-0x00000000008F0000-0x0000000000A51000-memory.dmp

Analysis: behavioral16

Detonation Overview

Submitted

2024-11-10 12:03

Reported

2024-11-10 12:06

Platform

win10v2004-20241007-en

Max time kernel

147s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6IvhC9RrHtvRf0BCVttVUFQm.exe"

Signatures

Danabot

trojan banker danabot

Danabot Loader Component

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Danabot family

danabot

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6IvhC9RrHtvRf0BCVttVUFQm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6IvhC9RrHtvRf0BCVttVUFQm.exe

"C:\Users\Admin\AppData\Local\Temp\6IvhC9RrHtvRf0BCVttVUFQm.exe"

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\6IVHC9~1.DLL,s C:\Users\Admin\AppData\Local\Temp\6IVHC9~1.EXE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3500 -ip 3500

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3500 -s 512

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 23.229.29.48:443 tcp

Files

memory/3500-1-0x0000000004090000-0x000000000418F000-memory.dmp

memory/3500-2-0x0000000004270000-0x0000000004376000-memory.dmp

memory/3500-3-0x0000000000400000-0x0000000000512000-memory.dmp

memory/3500-6-0x0000000004090000-0x000000000418F000-memory.dmp

memory/3500-8-0x0000000004270000-0x0000000004376000-memory.dmp

memory/3500-7-0x0000000000400000-0x000000000248D000-memory.dmp

memory/3500-9-0x0000000000400000-0x0000000000512000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6IVHC9~1.EXE.dll

MD5 10eaf70ee8ca7fbaf0d5f966db83d914
SHA1 3eef19259269542bb641c14610b661f4d6cb02af
SHA256 56805957102c4e3fad8080955378c89896d91c766e71dc104c257d7bfdb6d630
SHA512 57c29c67015f56f80e842147ff22a064830cc1588788b16e41f1e6880b657a7c54eb6fe6425f23895991ff0e084e343613bc9883c12b68c38b43997888e243d6

memory/3500-17-0x0000000000400000-0x000000000248D000-memory.dmp

memory/4840-18-0x0000000000400000-0x0000000000561000-memory.dmp

memory/3500-31-0x0000000000400000-0x0000000000512000-memory.dmp

memory/3500-30-0x0000000000400000-0x000000000248D000-memory.dmp

memory/4840-32-0x0000000000400000-0x0000000000561000-memory.dmp

memory/4840-33-0x0000000000400000-0x0000000000561000-memory.dmp

Analysis: behavioral22

Detonation Overview

Submitted

2024-11-10 12:03

Reported

2024-11-10 12:06

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7UwyHmKx00aB7vI0W6MvnkKA.exe"

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\7UwyHmKx00aB7vI0W6MvnkKA.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7UwyHmKx00aB7vI0W6MvnkKA.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\7UwyHmKx00aB7vI0W6MvnkKA.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\7UwyHmKx00aB7vI0W6MvnkKA.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7UwyHmKx00aB7vI0W6MvnkKA.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7UwyHmKx00aB7vI0W6MvnkKA.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7UwyHmKx00aB7vI0W6MvnkKA.exe

"C:\Users\Admin\AppData\Local\Temp\7UwyHmKx00aB7vI0W6MvnkKA.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
NL 45.14.49.128:5385 tcp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
NL 45.14.49.128:5385 tcp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
NL 45.14.49.128:5385 tcp
NL 45.14.49.128:5385 tcp
NL 45.14.49.128:5385 tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
NL 45.14.49.128:5385 tcp
NL 45.14.49.128:5385 tcp
NL 45.14.49.128:5385 tcp

Files

memory/4156-0-0x00000000005B0000-0x0000000000C10000-memory.dmp

memory/4156-1-0x00000000763E0000-0x00000000763E1000-memory.dmp

memory/4156-5-0x00000000763C0000-0x00000000764B0000-memory.dmp

memory/4156-7-0x00000000763C0000-0x00000000764B0000-memory.dmp

memory/4156-6-0x00000000763C0000-0x00000000764B0000-memory.dmp

memory/4156-8-0x00000000763C0000-0x00000000764B0000-memory.dmp

memory/4156-4-0x00000000763C0000-0x00000000764B0000-memory.dmp

memory/4156-3-0x00000000763C0000-0x00000000764B0000-memory.dmp

memory/4156-2-0x00000000763C0000-0x00000000764B0000-memory.dmp

memory/4156-12-0x00000000005B0000-0x0000000000C10000-memory.dmp

memory/4156-14-0x00000000052A0000-0x00000000052B2000-memory.dmp

memory/4156-13-0x0000000005860000-0x0000000005E78000-memory.dmp

memory/4156-15-0x00000000053D0000-0x00000000054DA000-memory.dmp

memory/4156-16-0x0000000005300000-0x000000000533C000-memory.dmp

memory/4156-17-0x0000000005340000-0x000000000538C000-memory.dmp

memory/4156-18-0x00000000005B0000-0x0000000000C10000-memory.dmp

memory/4156-19-0x00000000763E0000-0x00000000763E1000-memory.dmp

memory/4156-20-0x00000000763C0000-0x00000000764B0000-memory.dmp

memory/4156-21-0x00000000763C0000-0x00000000764B0000-memory.dmp

memory/4156-22-0x00000000763C0000-0x00000000764B0000-memory.dmp

memory/4156-23-0x00000000763C0000-0x00000000764B0000-memory.dmp

memory/4156-24-0x00000000763C0000-0x00000000764B0000-memory.dmp

memory/4156-25-0x00000000763C0000-0x00000000764B0000-memory.dmp

memory/4156-27-0x00000000763C0000-0x00000000764B0000-memory.dmp

Analysis: behavioral27

Detonation Overview

Submitted

2024-11-10 12:03

Reported

2024-11-10 12:06

Platform

win7-20240708-en

Max time kernel

144s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\A04WVFPeCHaejSnQmBHCogH9.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Sectoprat family

sectoprat

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\A04WVFPeCHaejSnQmBHCogH9.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\A04WVFPeCHaejSnQmBHCogH9.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\A04WVFPeCHaejSnQmBHCogH9.exe

"C:\Users\Admin\AppData\Local\Temp\A04WVFPeCHaejSnQmBHCogH9.exe"

Network

Country Destination Domain Proto
US 205.185.119.191:18846 tcp
US 205.185.119.191:18846 tcp
US 205.185.119.191:18846 tcp
US 205.185.119.191:18846 tcp
US 205.185.119.191:18846 tcp
US 205.185.119.191:18846 tcp
US 205.185.119.191:18846 tcp
US 205.185.119.191:18846 tcp
US 205.185.119.191:18846 tcp
US 205.185.119.191:18846 tcp
US 205.185.119.191:18846 tcp
US 205.185.119.191:18846 tcp
US 205.185.119.191:18846 tcp
US 205.185.119.191:18846 tcp
US 205.185.119.191:18846 tcp
US 205.185.119.191:18846 tcp
US 205.185.119.191:18846 tcp
US 205.185.119.191:18846 tcp
US 205.185.119.191:18846 tcp
US 205.185.119.191:18846 tcp
US 205.185.119.191:18846 tcp

Files

memory/1988-1-0x0000000002E40000-0x0000000002F40000-memory.dmp

memory/1988-2-0x0000000000400000-0x0000000000432000-memory.dmp

memory/1988-3-0x00000000003E0000-0x0000000000402000-memory.dmp

memory/1988-4-0x00000000048A0000-0x00000000048C0000-memory.dmp

memory/1988-5-0x0000000000400000-0x0000000002CD0000-memory.dmp

memory/1988-6-0x0000000002E40000-0x0000000002F40000-memory.dmp

Analysis: behavioral28

Detonation Overview

Submitted

2024-11-10 12:03

Reported

2024-11-10 12:06

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\A04WVFPeCHaejSnQmBHCogH9.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Sectoprat family

sectoprat

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\A04WVFPeCHaejSnQmBHCogH9.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\A04WVFPeCHaejSnQmBHCogH9.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\A04WVFPeCHaejSnQmBHCogH9.exe

"C:\Users\Admin\AppData\Local\Temp\A04WVFPeCHaejSnQmBHCogH9.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 205.185.119.191:18846 tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 205.185.119.191:18846 tcp
US 205.185.119.191:18846 tcp
US 205.185.119.191:18846 tcp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 107.209.201.84.in-addr.arpa udp
US 205.185.119.191:18846 tcp
US 205.185.119.191:18846 tcp
US 205.185.119.191:18846 tcp
US 205.185.119.191:18846 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 205.185.119.191:18846 tcp
US 205.185.119.191:18846 tcp
US 205.185.119.191:18846 tcp
US 205.185.119.191:18846 tcp
US 205.185.119.191:18846 tcp
US 205.185.119.191:18846 tcp
US 205.185.119.191:18846 tcp
US 205.185.119.191:18846 tcp
US 205.185.119.191:18846 tcp
US 205.185.119.191:18846 tcp
US 205.185.119.191:18846 tcp

Files

memory/216-1-0x0000000002DF0000-0x0000000002EF0000-memory.dmp

memory/216-2-0x0000000002D90000-0x0000000002DBF000-memory.dmp

memory/216-3-0x0000000000400000-0x0000000000432000-memory.dmp

memory/216-4-0x0000000004AF0000-0x0000000004B12000-memory.dmp

memory/216-5-0x00000000075F0000-0x0000000007B94000-memory.dmp

memory/216-6-0x0000000004F60000-0x0000000004F80000-memory.dmp

memory/216-7-0x0000000000400000-0x0000000002CD0000-memory.dmp

memory/216-8-0x0000000007BA0000-0x00000000081B8000-memory.dmp

memory/216-9-0x0000000007460000-0x0000000007472000-memory.dmp

memory/216-10-0x0000000007480000-0x00000000074BC000-memory.dmp

memory/216-11-0x00000000074E0000-0x000000000752C000-memory.dmp

memory/216-12-0x0000000008250000-0x000000000835A000-memory.dmp

memory/216-14-0x0000000002DF0000-0x0000000002EF0000-memory.dmp

memory/216-15-0x0000000002D90000-0x0000000002DBF000-memory.dmp

memory/216-16-0x0000000000400000-0x0000000000432000-memory.dmp

Analysis: behavioral30

Detonation Overview

Submitted

2024-11-10 12:03

Reported

2024-11-10 12:06

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\A5ulgq_bFXMyWAYNZZbTBZ0Z.exe"

Signatures

Danabot

trojan banker danabot

Danabot Loader Component

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Danabot family

danabot

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\A5ulgq_bFXMyWAYNZZbTBZ0Z.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\A5ulgq_bFXMyWAYNZZbTBZ0Z.exe

"C:\Users\Admin\AppData\Local\Temp\A5ulgq_bFXMyWAYNZZbTBZ0Z.exe"

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\A5ULGQ~1.DLL,s C:\Users\Admin\AppData\Local\Temp\A5ULGQ~1.EXE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3112 -ip 3112

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3112 -s 540

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3112 -ip 3112

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3112 -s 548

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 23.229.29.48:443 tcp
US 8.8.8.8:53 6.173.189.20.in-addr.arpa udp

Files

memory/3112-1-0x00000000040B0000-0x00000000041A7000-memory.dmp

memory/3112-2-0x0000000004250000-0x0000000004356000-memory.dmp

memory/3112-3-0x0000000000400000-0x0000000000512000-memory.dmp

memory/3112-6-0x00000000040B0000-0x00000000041A7000-memory.dmp

memory/3112-8-0x0000000004250000-0x0000000004356000-memory.dmp

memory/3112-7-0x0000000000400000-0x000000000248D000-memory.dmp

memory/3112-9-0x0000000000400000-0x0000000000512000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A5ULGQ~1.DLL

MD5 ccba57951405708763aab4341d2127e2
SHA1 0fee689551c31486944ce755d26ad9f0dfbb8c98
SHA256 2da1d37413a303931c67d0fd5eefc9a4f8ccf82d8de5b552c643476136433dc9
SHA512 7b6a512feeaabc48c40e76aba967fb2defc483bd2ee6c40a1d2e6d53da406e66c001353d5fd660ddf82c4d6e7512afe67fae0a69ae3a00c2a9c8a1a242f093ba

memory/5000-18-0x0000000002100000-0x0000000002261000-memory.dmp

memory/3112-19-0x0000000000400000-0x000000000248D000-memory.dmp

memory/5000-20-0x0000000002100000-0x0000000002261000-memory.dmp

memory/3112-33-0x0000000000400000-0x0000000000512000-memory.dmp

memory/3112-32-0x0000000000400000-0x000000000248D000-memory.dmp

memory/5000-36-0x0000000002100000-0x0000000002261000-memory.dmp

memory/5000-37-0x0000000002100000-0x0000000002261000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-11-10 12:03

Reported

2024-11-10 12:06

Platform

win7-20240903-en

Max time kernel

149s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\28NEs4WOAbFCrw46bjrvW6Dx.exe"

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\28NEs4WOAbFCrw46bjrvW6Dx.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\28NEs4WOAbFCrw46bjrvW6Dx.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\28NEs4WOAbFCrw46bjrvW6Dx.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\28NEs4WOAbFCrw46bjrvW6Dx.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\28NEs4WOAbFCrw46bjrvW6Dx.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\28NEs4WOAbFCrw46bjrvW6Dx.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\28NEs4WOAbFCrw46bjrvW6Dx.exe

"C:\Users\Admin\AppData\Local\Temp\28NEs4WOAbFCrw46bjrvW6Dx.exe"

Network

Country Destination Domain Proto
RU 45.129.236.6:63318 tcp
RU 45.129.236.6:63318 tcp
RU 45.129.236.6:63318 tcp
RU 45.129.236.6:63318 tcp
RU 45.129.236.6:63318 tcp
RU 45.129.236.6:63318 tcp
RU 45.129.236.6:63318 tcp
RU 45.129.236.6:63318 tcp

Files

memory/1872-0-0x0000000000D20000-0x000000000137E000-memory.dmp

memory/1872-1-0x0000000076C51000-0x0000000076C52000-memory.dmp

memory/1872-5-0x0000000076C40000-0x0000000076D50000-memory.dmp

memory/1872-7-0x0000000076C40000-0x0000000076D50000-memory.dmp

memory/1872-6-0x0000000076C40000-0x0000000076D50000-memory.dmp

memory/1872-11-0x0000000076C40000-0x0000000076D50000-memory.dmp

memory/1872-15-0x0000000076C40000-0x0000000076D50000-memory.dmp

memory/1872-21-0x0000000076C40000-0x0000000076D50000-memory.dmp

memory/1872-20-0x0000000076C40000-0x0000000076D50000-memory.dmp

memory/1872-19-0x0000000076C40000-0x0000000076D50000-memory.dmp

memory/1872-18-0x0000000076C40000-0x0000000076D50000-memory.dmp

memory/1872-17-0x0000000076C40000-0x0000000076D50000-memory.dmp

memory/1872-16-0x0000000076C40000-0x0000000076D50000-memory.dmp

memory/1872-14-0x0000000076C40000-0x0000000076D50000-memory.dmp

memory/1872-13-0x0000000076C40000-0x0000000076D50000-memory.dmp

memory/1872-22-0x0000000000D20000-0x000000000137E000-memory.dmp

memory/1872-12-0x0000000076C40000-0x0000000076D50000-memory.dmp

memory/1872-10-0x0000000076C40000-0x0000000076D50000-memory.dmp

memory/1872-9-0x0000000076C40000-0x0000000076D50000-memory.dmp

memory/1872-8-0x0000000076C40000-0x0000000076D50000-memory.dmp

memory/1872-23-0x0000000000D20000-0x000000000137E000-memory.dmp

memory/1872-24-0x0000000076C40000-0x0000000076D50000-memory.dmp

memory/1872-25-0x0000000076C40000-0x0000000076D50000-memory.dmp

memory/1872-26-0x0000000076C40000-0x0000000076D50000-memory.dmp

Analysis: behavioral14

Detonation Overview

Submitted

2024-11-10 12:03

Reported

2024-11-10 12:06

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4sqg3EO3n4bilXTOwELzdyE3.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Sectoprat family

sectoprat

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4sqg3EO3n4bilXTOwELzdyE3.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4sqg3EO3n4bilXTOwELzdyE3.exe

"C:\Users\Admin\AppData\Local\Temp\4sqg3EO3n4bilXTOwELzdyE3.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
RU 91.142.77.189:61524 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
RU 91.142.77.189:61524 tcp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 101.209.201.84.in-addr.arpa udp
RU 91.142.77.189:61524 tcp
RU 91.142.77.189:61524 tcp
RU 91.142.77.189:61524 tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
RU 91.142.77.189:61524 tcp
RU 91.142.77.189:61524 tcp
RU 91.142.77.189:61524 tcp

Files

memory/2196-1-0x0000000002400000-0x0000000002500000-memory.dmp

memory/2196-2-0x0000000004160000-0x0000000004190000-memory.dmp

memory/2196-3-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2196-4-0x00000000043F0000-0x0000000004414000-memory.dmp

memory/2196-5-0x0000000006B50000-0x00000000070F4000-memory.dmp

memory/2196-6-0x00000000045A0000-0x00000000045C2000-memory.dmp

memory/2196-7-0x0000000007200000-0x0000000007292000-memory.dmp

memory/2196-8-0x0000000000400000-0x00000000023C1000-memory.dmp

memory/2196-9-0x00000000072A0000-0x00000000078B8000-memory.dmp

memory/2196-10-0x0000000007940000-0x0000000007952000-memory.dmp

memory/2196-11-0x0000000007960000-0x0000000007A6A000-memory.dmp

memory/2196-12-0x0000000007CA0000-0x0000000007CDC000-memory.dmp

memory/2196-13-0x0000000007D20000-0x0000000007D6C000-memory.dmp

memory/2196-14-0x0000000002400000-0x0000000002500000-memory.dmp

memory/2196-15-0x0000000004160000-0x0000000004190000-memory.dmp

memory/2196-17-0x0000000000400000-0x0000000000433000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2024-11-10 12:03

Reported

2024-11-10 12:06

Platform

win7-20240903-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\25jZMPTiQqNIVH0Cs2hi6z9r.exe"

Signatures

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A

FFDroider

stealer ffdroider

FFDroider payload

Description Indicator Process Target
N/A N/A N/A N/A

Fabookie

spyware stealer fabookie

Fabookie family

fabookie

Ffdroider family

ffdroider

Detected Nirsoft tools

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Company\NewProduct\Uninstall.ini C:\Users\Admin\AppData\Local\Temp\25jZMPTiQqNIVH0Cs2hi6z9r.exe N/A
File opened for modification C:\Program Files (x86)\Company\NewProduct\customer3.exe C:\Users\Admin\AppData\Local\Temp\25jZMPTiQqNIVH0Cs2hi6z9r.exe N/A
File opened for modification C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe C:\Users\Admin\AppData\Local\Temp\25jZMPTiQqNIVH0Cs2hi6z9r.exe N/A
File opened for modification C:\Program Files (x86)\Company\NewProduct\jooyu.exe C:\Users\Admin\AppData\Local\Temp\25jZMPTiQqNIVH0Cs2hi6z9r.exe N/A
File opened for modification C:\Program Files (x86)\Company\NewProduct\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\25jZMPTiQqNIVH0Cs2hi6z9r.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\25jZMPTiQqNIVH0Cs2hi6z9r.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Company\NewProduct\jooyu.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2656 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\25jZMPTiQqNIVH0Cs2hi6z9r.exe C:\Program Files (x86)\Company\NewProduct\customer3.exe
PID 2656 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\25jZMPTiQqNIVH0Cs2hi6z9r.exe C:\Program Files (x86)\Company\NewProduct\customer3.exe
PID 2656 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\25jZMPTiQqNIVH0Cs2hi6z9r.exe C:\Program Files (x86)\Company\NewProduct\customer3.exe
PID 2656 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\25jZMPTiQqNIVH0Cs2hi6z9r.exe C:\Program Files (x86)\Company\NewProduct\customer3.exe
PID 2656 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\25jZMPTiQqNIVH0Cs2hi6z9r.exe C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
PID 2656 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\25jZMPTiQqNIVH0Cs2hi6z9r.exe C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
PID 2656 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\25jZMPTiQqNIVH0Cs2hi6z9r.exe C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
PID 2656 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\25jZMPTiQqNIVH0Cs2hi6z9r.exe C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
PID 2656 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\25jZMPTiQqNIVH0Cs2hi6z9r.exe C:\Program Files (x86)\Company\NewProduct\jooyu.exe
PID 2656 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\25jZMPTiQqNIVH0Cs2hi6z9r.exe C:\Program Files (x86)\Company\NewProduct\jooyu.exe
PID 2656 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\25jZMPTiQqNIVH0Cs2hi6z9r.exe C:\Program Files (x86)\Company\NewProduct\jooyu.exe
PID 2656 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\25jZMPTiQqNIVH0Cs2hi6z9r.exe C:\Program Files (x86)\Company\NewProduct\jooyu.exe
PID 2632 wrote to memory of 2476 N/A C:\Program Files (x86)\Company\NewProduct\jooyu.exe C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
PID 2632 wrote to memory of 2476 N/A C:\Program Files (x86)\Company\NewProduct\jooyu.exe C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
PID 2632 wrote to memory of 2476 N/A C:\Program Files (x86)\Company\NewProduct\jooyu.exe C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
PID 2632 wrote to memory of 2476 N/A C:\Program Files (x86)\Company\NewProduct\jooyu.exe C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
PID 2632 wrote to memory of 572 N/A C:\Program Files (x86)\Company\NewProduct\jooyu.exe C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
PID 2632 wrote to memory of 572 N/A C:\Program Files (x86)\Company\NewProduct\jooyu.exe C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
PID 2632 wrote to memory of 572 N/A C:\Program Files (x86)\Company\NewProduct\jooyu.exe C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
PID 2632 wrote to memory of 572 N/A C:\Program Files (x86)\Company\NewProduct\jooyu.exe C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\25jZMPTiQqNIVH0Cs2hi6z9r.exe

"C:\Users\Admin\AppData\Local\Temp\25jZMPTiQqNIVH0Cs2hi6z9r.exe"

C:\Program Files (x86)\Company\NewProduct\customer3.exe

"C:\Program Files (x86)\Company\NewProduct\customer3.exe"

C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe

"C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"

C:\Program Files (x86)\Company\NewProduct\jooyu.exe

"C:\Program Files (x86)\Company\NewProduct\jooyu.exe"

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

Network

Country Destination Domain Proto
US 8.8.8.8:53 s.lletlee.com udp
US 152.32.151.93:80 tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 www.facebook.com udp
GB 163.70.147.35:443 www.facebook.com tcp
US 8.8.8.8:53 uyg5wye.2ihsfa.com udp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp

Files

\Program Files (x86)\Company\NewProduct\customer3.exe

MD5 1daac0c9a48a79976539b0722f9c3d3b
SHA1 843218f70a6a7fd676121e447b5b74acb0d87100
SHA256 e496ce805aa5b3ed8e1898803a536c683d031c5a61b2a54e5c89e02c4febecdf
SHA512 2259e6e27e6ca6155b50bc0dfd8c3f9f1a31db53c8b4d1811e94e927e30aba2ded4c92a34dfee042d96bd5fd7cbfdbb73d168cc8d66f9b3a37df40980d6dfebc

\Program Files (x86)\Company\NewProduct\md8_8eus.exe

MD5 ce11de1000560d312bf6ab0b5327e87b
SHA1 557f3f780cb0f694887ada330a87ba976cdb168f
SHA256 126daa976d1eaec1bd68eb53748caa325fc537f865051dd0d5f09d599175861a
SHA512 655b45bcf75a79c174caf6fae84560980511d068f67a89883f70b264e88983f729c604b3484fdcb8d8f8a83105e43d740fe70e7a006806136bc423453d769655

memory/2656-36-0x0000000003610000-0x0000000003854000-memory.dmp

memory/2692-40-0x0000000000400000-0x0000000000644000-memory.dmp

memory/2692-39-0x0000000000020000-0x0000000000023000-memory.dmp

memory/2656-38-0x0000000003610000-0x0000000003854000-memory.dmp

C:\Program Files (x86)\Company\NewProduct\jooyu.exe

MD5 aed57d50123897b0012c35ef5dec4184
SHA1 568571b12ca44a585df589dc810bf53adf5e8050
SHA256 096021eb5950ee16b7ec51756abe05f90c3530206e16286e7610b8a5a544a85e
SHA512 ea0ee3a0762baa3539e8026a8c624ad897efe005faadcf1ff67ebfc555f29b912b24ad4342d5e0c209f36f5288867246bd1bdfed7df739e608a72fa7b4fa2d7c

memory/2656-46-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2692-49-0x0000000000400000-0x0000000000644000-memory.dmp

\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

MD5 7fee8223d6e4f82d6cd115a28f0b6d58
SHA1 1b89c25f25253df23426bd9ff6c9208f1202f58b
SHA256 a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59
SHA512 3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

memory/2632-53-0x0000000000120000-0x000000000017B000-memory.dmp

memory/2476-59-0x0000000000400000-0x000000000045B000-memory.dmp

memory/2476-62-0x0000000000400000-0x000000000045B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

MD5 b7161c0845a64ff6d7345b67ff97f3b0
SHA1 d223f855da541fe8e4c1d5c50cb26da0a1deb5fc
SHA256 fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66
SHA512 98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

C:\Users\Admin\AppData\Local\Temp\Cab1AD3.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar1AE5.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

MD5 a6279ec92ff948760ce53bba817d6a77
SHA1 5345505e12f9e4c6d569a226d50e71b5a572dce2
SHA256 8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181
SHA512 213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

memory/2632-102-0x0000000000180000-0x00000000001A2000-memory.dmp

memory/572-108-0x0000000000400000-0x0000000000422000-memory.dmp

memory/572-115-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2632-116-0x0000000000120000-0x000000000017B000-memory.dmp

memory/2632-118-0x0000000000120000-0x000000000017B000-memory.dmp

memory/2632-119-0x0000000000180000-0x00000000001A2000-memory.dmp

memory/2632-120-0x0000000000180000-0x00000000001A2000-memory.dmp

Analysis: behavioral20

Detonation Overview

Submitted

2024-11-10 12:03

Reported

2024-11-10 12:06

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6RVcR1WSznUXUS8RtLypZMfp.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\6RVcR1WSznUXUS8RtLypZMfp.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6RVcR1WSznUXUS8RtLypZMfp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6RVcR1WSznUXUS8RtLypZMfp.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6RVcR1WSznUXUS8RtLypZMfp.exe

"C:\Users\Admin\AppData\Local\Temp\6RVcR1WSznUXUS8RtLypZMfp.exe"

C:\Users\Admin\AppData\Local\Temp\6RVcR1WSznUXUS8RtLypZMfp.exe

"C:\Users\Admin\AppData\Local\Temp\6RVcR1WSznUXUS8RtLypZMfp.exe" -q

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1808 -ip 1808

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1808 -s 908

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 a.goatgame.co udp

Files

N/A

Analysis: behavioral31

Detonation Overview

Submitted

2024-11-10 12:03

Reported

2024-11-10 12:06

Platform

win7-20240903-en

Max time kernel

119s

Max time network

129s

Command Line

"C:\Users\Admin\AppData\Local\Temp\AU3ie6Mv1vmus72LuhNF2jzZ.exe"

Signatures

SmokeLoader

trojan backdoor smokeloader

Smokeloader family

smokeloader

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2912 set thread context of 3028 N/A C:\Users\Admin\AppData\Local\Temp\AU3ie6Mv1vmus72LuhNF2jzZ.exe C:\Users\Admin\AppData\Local\Temp\AU3ie6Mv1vmus72LuhNF2jzZ.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\AU3ie6Mv1vmus72LuhNF2jzZ.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\AU3ie6Mv1vmus72LuhNF2jzZ.exe

"C:\Users\Admin\AppData\Local\Temp\AU3ie6Mv1vmus72LuhNF2jzZ.exe"

C:\Users\Admin\AppData\Local\Temp\AU3ie6Mv1vmus72LuhNF2jzZ.exe

"C:\Users\Admin\AppData\Local\Temp\AU3ie6Mv1vmus72LuhNF2jzZ.exe"

Network

N/A

Files

memory/3028-5-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3028-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2912-2-0x0000000000220000-0x000000000022A000-memory.dmp

memory/2912-1-0x0000000002550000-0x0000000002650000-memory.dmp

memory/3028-6-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3028-7-0x0000000000400000-0x0000000000409000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 12:03

Reported

2024-11-10 12:06

Platform

win7-20240729-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0hS8ndFapMyi9bpBTCoeqfJf.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Sectoprat family

sectoprat

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0hS8ndFapMyi9bpBTCoeqfJf.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0hS8ndFapMyi9bpBTCoeqfJf.exe

"C:\Users\Admin\AppData\Local\Temp\0hS8ndFapMyi9bpBTCoeqfJf.exe"

Network

Country Destination Domain Proto
RU 91.142.77.189:61524 tcp
RU 91.142.77.189:61524 tcp
RU 91.142.77.189:61524 tcp
RU 91.142.77.189:61524 tcp
RU 91.142.77.189:61524 tcp
RU 91.142.77.189:61524 tcp
RU 91.142.77.189:61524 tcp
RU 91.142.77.189:61524 tcp

Files

memory/2540-1-0x0000000002830000-0x0000000002930000-memory.dmp

memory/2540-2-0x0000000000230000-0x0000000000260000-memory.dmp

memory/2540-3-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2540-4-0x0000000000300000-0x0000000000324000-memory.dmp

memory/2540-5-0x00000000025A0000-0x00000000025C2000-memory.dmp

memory/2540-6-0x0000000000400000-0x00000000023C1000-memory.dmp

memory/2540-7-0x0000000002830000-0x0000000002930000-memory.dmp

memory/2540-8-0x0000000000230000-0x0000000000260000-memory.dmp

memory/2540-9-0x0000000000400000-0x0000000000433000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-10 12:03

Reported

2024-11-10 12:06

Platform

win10v2004-20241007-en

Max time kernel

140s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0hS8ndFapMyi9bpBTCoeqfJf.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Sectoprat family

sectoprat

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0hS8ndFapMyi9bpBTCoeqfJf.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0hS8ndFapMyi9bpBTCoeqfJf.exe

"C:\Users\Admin\AppData\Local\Temp\0hS8ndFapMyi9bpBTCoeqfJf.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 91.142.77.189:61524 tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
RU 91.142.77.189:61524 tcp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
RU 91.142.77.189:61524 tcp
RU 91.142.77.189:61524 tcp
RU 91.142.77.189:61524 tcp
RU 91.142.77.189:61524 tcp
RU 91.142.77.189:61524 tcp

Files

memory/1372-1-0x0000000002620000-0x0000000002720000-memory.dmp

memory/1372-2-0x0000000002520000-0x0000000002550000-memory.dmp

memory/1372-3-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1372-4-0x0000000004360000-0x0000000004384000-memory.dmp

memory/1372-5-0x0000000006B00000-0x00000000070A4000-memory.dmp

memory/1372-6-0x0000000004420000-0x0000000004442000-memory.dmp

memory/1372-7-0x00000000045D0000-0x0000000004662000-memory.dmp

memory/1372-8-0x0000000000400000-0x00000000023C1000-memory.dmp

memory/1372-9-0x00000000071B0000-0x00000000077C8000-memory.dmp

memory/1372-10-0x0000000007800000-0x0000000007812000-memory.dmp

memory/1372-11-0x0000000007830000-0x000000000793A000-memory.dmp

memory/1372-12-0x0000000009170000-0x00000000091AC000-memory.dmp

memory/1372-13-0x0000000007A40000-0x0000000007A8C000-memory.dmp

memory/1372-14-0x0000000002620000-0x0000000002720000-memory.dmp

memory/1372-16-0x0000000002520000-0x0000000002550000-memory.dmp

memory/1372-17-0x0000000000400000-0x0000000000433000-memory.dmp

Analysis: behavioral13

Detonation Overview

Submitted

2024-11-10 12:03

Reported

2024-11-10 12:06

Platform

win7-20240903-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4sqg3EO3n4bilXTOwELzdyE3.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Sectoprat family

sectoprat

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4sqg3EO3n4bilXTOwELzdyE3.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4sqg3EO3n4bilXTOwELzdyE3.exe

"C:\Users\Admin\AppData\Local\Temp\4sqg3EO3n4bilXTOwELzdyE3.exe"

Network

Country Destination Domain Proto
RU 91.142.77.189:61524 tcp
RU 91.142.77.189:61524 tcp
RU 91.142.77.189:61524 tcp
RU 91.142.77.189:61524 tcp
RU 91.142.77.189:61524 tcp
RU 91.142.77.189:61524 tcp
RU 91.142.77.189:61524 tcp
RU 91.142.77.189:61524 tcp

Files

memory/1620-1-0x0000000002590000-0x0000000002690000-memory.dmp

memory/1620-2-0x0000000000260000-0x0000000000290000-memory.dmp

memory/1620-3-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1620-4-0x0000000003D70000-0x0000000003D94000-memory.dmp

memory/1620-6-0x0000000003EE0000-0x0000000003F02000-memory.dmp

memory/1620-5-0x0000000000400000-0x00000000023C1000-memory.dmp

memory/1620-7-0x0000000002590000-0x0000000002690000-memory.dmp

memory/1620-8-0x0000000000260000-0x0000000000290000-memory.dmp

memory/1620-9-0x0000000000400000-0x0000000000433000-memory.dmp

Analysis: behavioral18

Detonation Overview

Submitted

2024-11-10 12:03

Reported

2024-11-10 12:06

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6K69WRpYoPgt3vIoWRXmpAwA.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\6K69WRpYoPgt3vIoWRXmpAwA.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6K69WRpYoPgt3vIoWRXmpAwA.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6K69WRpYoPgt3vIoWRXmpAwA.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6K69WRpYoPgt3vIoWRXmpAwA.exe

"C:\Users\Admin\AppData\Local\Temp\6K69WRpYoPgt3vIoWRXmpAwA.exe"

C:\Users\Admin\AppData\Local\Temp\6K69WRpYoPgt3vIoWRXmpAwA.exe

"C:\Users\Admin\AppData\Local\Temp\6K69WRpYoPgt3vIoWRXmpAwA.exe" -q

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1112 -ip 1112

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 896

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 udp

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-11-10 12:03

Reported

2024-11-10 12:04

Platform

win7-20240903-en

Max time kernel

0s

Max time network

3s

Command Line

"C:\Users\Admin\AppData\Local\Temp\88wncypnTKvKj7Uwab0iiutt.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\88wncypnTKvKj7Uwab0iiutt.exe

"C:\Users\Admin\AppData\Local\Temp\88wncypnTKvKj7Uwab0iiutt.exe"

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-10 12:03

Reported

2024-11-10 12:06

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0rr48RlGuyf8MbsABD4Fd5xg.exe"

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0rr48RlGuyf8MbsABD4Fd5xg.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Z2bT94N_CMSE.Exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\rundll32.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Z2bT94N_CMSE.Exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5888e2.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e5888e2.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Z2bT94N_CMSE.Exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e5888e2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0rr48RlGuyf8MbsABD4Fd5xg.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4216 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\0rr48RlGuyf8MbsABD4Fd5xg.exe C:\Windows\SysWOW64\mshta.exe
PID 4216 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\0rr48RlGuyf8MbsABD4Fd5xg.exe C:\Windows\SysWOW64\mshta.exe
PID 4216 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\0rr48RlGuyf8MbsABD4Fd5xg.exe C:\Windows\SysWOW64\mshta.exe
PID 212 wrote to memory of 2600 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\cmd.exe
PID 212 wrote to memory of 2600 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\cmd.exe
PID 212 wrote to memory of 2600 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 3596 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\Z2bT94N_CMSE.Exe
PID 2600 wrote to memory of 3596 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\Z2bT94N_CMSE.Exe
PID 2600 wrote to memory of 3596 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\Z2bT94N_CMSE.Exe
PID 2600 wrote to memory of 3164 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2600 wrote to memory of 3164 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2600 wrote to memory of 3164 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 3596 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\Z2bT94N_CMSE.Exe C:\Windows\SysWOW64\mshta.exe
PID 3596 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\Z2bT94N_CMSE.Exe C:\Windows\SysWOW64\mshta.exe
PID 3596 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\Z2bT94N_CMSE.Exe C:\Windows\SysWOW64\mshta.exe
PID 4140 wrote to memory of 4972 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\cmd.exe
PID 4140 wrote to memory of 4972 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\cmd.exe
PID 4140 wrote to memory of 4972 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\cmd.exe
PID 3596 wrote to memory of 4588 N/A C:\Users\Admin\AppData\Local\Temp\Z2bT94N_CMSE.Exe C:\Windows\SysWOW64\rundll32.exe
PID 3596 wrote to memory of 4588 N/A C:\Users\Admin\AppData\Local\Temp\Z2bT94N_CMSE.Exe C:\Windows\SysWOW64\rundll32.exe
PID 3596 wrote to memory of 4588 N/A C:\Users\Admin\AppData\Local\Temp\Z2bT94N_CMSE.Exe C:\Windows\SysWOW64\rundll32.exe
PID 4588 wrote to memory of 4144 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5888e2.exe
PID 4588 wrote to memory of 4144 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5888e2.exe
PID 4588 wrote to memory of 4144 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5888e2.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0rr48RlGuyf8MbsABD4Fd5xg.exe

"C:\Users\Admin\AppData\Local\Temp\0rr48RlGuyf8MbsABD4Fd5xg.exe"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" vBscrIpT: ClOsE ( CrEaTeobjeCt ( "WsCRIPt.SHELl" ). RUN( "cmD.EXe /C coPy /y ""C:\Users\Admin\AppData\Local\Temp\0rr48RlGuyf8MbsABD4Fd5xg.exe"" Z2bT94N_CMSE.Exe && START Z2Bt94N_cMSE.eXE -PMrvgB7ejl2YIjc3PC8aTZbo &IF """" == """" for %j iN ( ""C:\Users\Admin\AppData\Local\Temp\0rr48RlGuyf8MbsABD4Fd5xg.exe"" ) do taskkill -im ""%~NXj"" -f " , 0 , tRue ) )

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C coPy /y "C:\Users\Admin\AppData\Local\Temp\0rr48RlGuyf8MbsABD4Fd5xg.exe" Z2bT94N_CMSE.Exe && START Z2Bt94N_cMSE.eXE -PMrvgB7ejl2YIjc3PC8aTZbo&IF "" == "" for %j iN ( "C:\Users\Admin\AppData\Local\Temp\0rr48RlGuyf8MbsABD4Fd5xg.exe" ) do taskkill -im "%~NXj" -f

C:\Users\Admin\AppData\Local\Temp\Z2bT94N_CMSE.Exe

Z2Bt94N_cMSE.eXE -PMrvgB7ejl2YIjc3PC8aTZbo

C:\Windows\SysWOW64\taskkill.exe

taskkill -im "0rr48RlGuyf8MbsABD4Fd5xg.exe" -f

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" vBscrIpT: ClOsE ( CrEaTeobjeCt ( "WsCRIPt.SHELl" ). RUN( "cmD.EXe /C coPy /y ""C:\Users\Admin\AppData\Local\Temp\Z2bT94N_CMSE.Exe"" Z2bT94N_CMSE.Exe && START Z2Bt94N_cMSE.eXE -PMrvgB7ejl2YIjc3PC8aTZbo &IF ""-PMrvgB7ejl2YIjc3PC8aTZbo"" == """" for %j iN ( ""C:\Users\Admin\AppData\Local\Temp\Z2bT94N_CMSE.Exe"" ) do taskkill -im ""%~NXj"" -f " , 0 , tRue ) )

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C coPy /y "C:\Users\Admin\AppData\Local\Temp\Z2bT94N_CMSE.Exe" Z2bT94N_CMSE.Exe && START Z2Bt94N_cMSE.eXE -PMrvgB7ejl2YIjc3PC8aTZbo&IF "-PMrvgB7ejl2YIjc3PC8aTZbo" == "" for %j iN ( "C:\Users\Admin\AppData\Local\Temp\Z2bT94N_CMSE.Exe" ) do taskkill -im "%~NXj" -f

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" .\HwWYSzK.F2,zgr

C:\Users\Admin\AppData\Local\Temp\e5888e2.exe

"C:\Users\Admin\AppData\Local\Temp\e5888e2.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4144 -ip 4144

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4144 -s 804

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 76.126.244.207:8080 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\Z2bT94N_CMSE.Exe

MD5 3b4348d187f24c82370836531f3fa94e
SHA1 a2ca4e9f4a8d9c8634e42765e90e252803e20b15
SHA256 cd189a8c952420bf33b68cce03b41900e8c784b1010213b097ecdb2d7e8079f7
SHA512 2bab3c1e38a21cefc06363db75931bf3bfe0b4ee3f089293a750dfc866abc32c7135d2d9ba7ccb005aa01ad02d0a75a5fa02f85ca78cc8fe637615b7fa9e7394

C:\Users\Admin\AppData\Local\Temp\HwWYSzK.F2

MD5 8586e83a33f4c1b8d81f568155663be7
SHA1 95a37fbaeb58fafbe14dfae8f539aeff509efb1f
SHA256 85ec523c939d552531246b8fe2f795b4623e1108945824525d549fda22d2afb9
SHA512 51aafad0bc8cd058196c042dab1c000a62a13caeaf5e432e2e7c5f8452b36e4e3a64e66b0aa9a981979edacc37c581957448a00ac5bd154e8081c06eb0de442f

memory/4588-9-0x00000000033B0000-0x0000000003461000-memory.dmp

memory/4588-10-0x0000000003470000-0x000000000350D000-memory.dmp

memory/4588-13-0x0000000003470000-0x000000000350D000-memory.dmp

memory/4588-14-0x0000000000400000-0x0000000000547000-memory.dmp

memory/4588-17-0x0000000003470000-0x000000000350D000-memory.dmp

memory/4588-18-0x0000000003510000-0x0000000003DCE000-memory.dmp

memory/4588-19-0x0000000003DD0000-0x0000000003E65000-memory.dmp

memory/4588-21-0x0000000003E70000-0x0000000003F01000-memory.dmp

memory/4588-23-0x0000000003E70000-0x0000000003F01000-memory.dmp

memory/4588-20-0x0000000003E70000-0x0000000003F01000-memory.dmp

memory/4588-24-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

memory/4588-25-0x0000000000CA0000-0x0000000000CA4000-memory.dmp

memory/4588-26-0x0000000000CB0000-0x0000000000CB6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e5888e2.exe

MD5 858939a54a0406e5be7220b92b6eb2b3
SHA1 da24c0b6f723a74a8ec59e58c9c0aea3e86b7109
SHA256 a30f30a109cb78d5eb1969f6c13f01a1e0a5f07b7ad8b133f5d2616223c1ce0a
SHA512 8875d1e43ea59314695747796894a2f171e92f7b04024dbc529af1497331489e279cd06ea03061288089d2f07ad437178b9d62f0bae2e16ae0b95c5681569401

memory/4144-41-0x0000000000930000-0x0000000000938000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2024-11-10 12:03

Reported

2024-11-10 12:06

Platform

win7-20241010-en

Max time kernel

147s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2DWwzYoIDsZeXAHrWMUgq7wH.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Sectoprat family

sectoprat

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2856 set thread context of 2728 N/A C:\Users\Admin\AppData\Local\Temp\2DWwzYoIDsZeXAHrWMUgq7wH.exe C:\Users\Admin\AppData\Local\Temp\2DWwzYoIDsZeXAHrWMUgq7wH.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2DWwzYoIDsZeXAHrWMUgq7wH.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2DWwzYoIDsZeXAHrWMUgq7wH.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2856 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\2DWwzYoIDsZeXAHrWMUgq7wH.exe C:\Users\Admin\AppData\Local\Temp\2DWwzYoIDsZeXAHrWMUgq7wH.exe
PID 2856 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\2DWwzYoIDsZeXAHrWMUgq7wH.exe C:\Users\Admin\AppData\Local\Temp\2DWwzYoIDsZeXAHrWMUgq7wH.exe
PID 2856 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\2DWwzYoIDsZeXAHrWMUgq7wH.exe C:\Users\Admin\AppData\Local\Temp\2DWwzYoIDsZeXAHrWMUgq7wH.exe
PID 2856 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\2DWwzYoIDsZeXAHrWMUgq7wH.exe C:\Users\Admin\AppData\Local\Temp\2DWwzYoIDsZeXAHrWMUgq7wH.exe
PID 2856 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\2DWwzYoIDsZeXAHrWMUgq7wH.exe C:\Users\Admin\AppData\Local\Temp\2DWwzYoIDsZeXAHrWMUgq7wH.exe
PID 2856 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\2DWwzYoIDsZeXAHrWMUgq7wH.exe C:\Users\Admin\AppData\Local\Temp\2DWwzYoIDsZeXAHrWMUgq7wH.exe
PID 2856 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\2DWwzYoIDsZeXAHrWMUgq7wH.exe C:\Users\Admin\AppData\Local\Temp\2DWwzYoIDsZeXAHrWMUgq7wH.exe
PID 2856 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\2DWwzYoIDsZeXAHrWMUgq7wH.exe C:\Users\Admin\AppData\Local\Temp\2DWwzYoIDsZeXAHrWMUgq7wH.exe
PID 2856 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\2DWwzYoIDsZeXAHrWMUgq7wH.exe C:\Users\Admin\AppData\Local\Temp\2DWwzYoIDsZeXAHrWMUgq7wH.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2DWwzYoIDsZeXAHrWMUgq7wH.exe

"C:\Users\Admin\AppData\Local\Temp\2DWwzYoIDsZeXAHrWMUgq7wH.exe"

C:\Users\Admin\AppData\Local\Temp\2DWwzYoIDsZeXAHrWMUgq7wH.exe

C:\Users\Admin\AppData\Local\Temp\2DWwzYoIDsZeXAHrWMUgq7wH.exe

Network

Country Destination Domain Proto
RU 95.181.172.100:55640 tcp
RU 95.181.172.100:55640 tcp
RU 95.181.172.100:55640 tcp
RU 95.181.172.100:55640 tcp
RU 95.181.172.100:55640 tcp
RU 95.181.172.100:55640 tcp
RU 95.181.172.100:55640 tcp
RU 95.181.172.100:55640 tcp
RU 95.181.172.100:55640 tcp
RU 95.181.172.100:55640 tcp
RU 95.181.172.100:55640 tcp
RU 95.181.172.100:55640 tcp
RU 95.181.172.100:55640 tcp
RU 95.181.172.100:55640 tcp
RU 95.181.172.100:55640 tcp

Files

memory/2856-0-0x000000007490E000-0x000000007490F000-memory.dmp

memory/2856-1-0x0000000000D40000-0x0000000000DDA000-memory.dmp

memory/2856-2-0x0000000074900000-0x0000000074FEE000-memory.dmp

memory/2728-3-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2728-4-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2728-15-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2856-14-0x0000000074900000-0x0000000074FEE000-memory.dmp

memory/2728-11-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2728-9-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2728-7-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2728-6-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2728-5-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2728-16-0x0000000074900000-0x0000000074FEE000-memory.dmp

memory/2728-17-0x0000000074900000-0x0000000074FEE000-memory.dmp

memory/2728-18-0x0000000074900000-0x0000000074FEE000-memory.dmp

Analysis: behavioral12

Detonation Overview

Submitted

2024-11-10 12:03

Reported

2024-11-10 12:06

Platform

win10v2004-20241007-en

Max time kernel

147s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2DWwzYoIDsZeXAHrWMUgq7wH.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Redline family

redline

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A

Sectoprat family

sectoprat

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1152 set thread context of 3964 N/A C:\Users\Admin\AppData\Local\Temp\2DWwzYoIDsZeXAHrWMUgq7wH.exe C:\Users\Admin\AppData\Local\Temp\2DWwzYoIDsZeXAHrWMUgq7wH.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2DWwzYoIDsZeXAHrWMUgq7wH.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2DWwzYoIDsZeXAHrWMUgq7wH.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1152 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\2DWwzYoIDsZeXAHrWMUgq7wH.exe C:\Users\Admin\AppData\Local\Temp\2DWwzYoIDsZeXAHrWMUgq7wH.exe
PID 1152 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\2DWwzYoIDsZeXAHrWMUgq7wH.exe C:\Users\Admin\AppData\Local\Temp\2DWwzYoIDsZeXAHrWMUgq7wH.exe
PID 1152 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\2DWwzYoIDsZeXAHrWMUgq7wH.exe C:\Users\Admin\AppData\Local\Temp\2DWwzYoIDsZeXAHrWMUgq7wH.exe
PID 1152 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\2DWwzYoIDsZeXAHrWMUgq7wH.exe C:\Users\Admin\AppData\Local\Temp\2DWwzYoIDsZeXAHrWMUgq7wH.exe
PID 1152 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\2DWwzYoIDsZeXAHrWMUgq7wH.exe C:\Users\Admin\AppData\Local\Temp\2DWwzYoIDsZeXAHrWMUgq7wH.exe
PID 1152 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\2DWwzYoIDsZeXAHrWMUgq7wH.exe C:\Users\Admin\AppData\Local\Temp\2DWwzYoIDsZeXAHrWMUgq7wH.exe
PID 1152 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\2DWwzYoIDsZeXAHrWMUgq7wH.exe C:\Users\Admin\AppData\Local\Temp\2DWwzYoIDsZeXAHrWMUgq7wH.exe
PID 1152 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\2DWwzYoIDsZeXAHrWMUgq7wH.exe C:\Users\Admin\AppData\Local\Temp\2DWwzYoIDsZeXAHrWMUgq7wH.exe
PID 1152 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\2DWwzYoIDsZeXAHrWMUgq7wH.exe C:\Users\Admin\AppData\Local\Temp\2DWwzYoIDsZeXAHrWMUgq7wH.exe
PID 1152 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\2DWwzYoIDsZeXAHrWMUgq7wH.exe C:\Users\Admin\AppData\Local\Temp\2DWwzYoIDsZeXAHrWMUgq7wH.exe
PID 1152 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\2DWwzYoIDsZeXAHrWMUgq7wH.exe C:\Users\Admin\AppData\Local\Temp\2DWwzYoIDsZeXAHrWMUgq7wH.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2DWwzYoIDsZeXAHrWMUgq7wH.exe

"C:\Users\Admin\AppData\Local\Temp\2DWwzYoIDsZeXAHrWMUgq7wH.exe"

C:\Users\Admin\AppData\Local\Temp\2DWwzYoIDsZeXAHrWMUgq7wH.exe

C:\Users\Admin\AppData\Local\Temp\2DWwzYoIDsZeXAHrWMUgq7wH.exe

C:\Users\Admin\AppData\Local\Temp\2DWwzYoIDsZeXAHrWMUgq7wH.exe

C:\Users\Admin\AppData\Local\Temp\2DWwzYoIDsZeXAHrWMUgq7wH.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 95.181.172.100:55640 tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
RU 95.181.172.100:55640 tcp
RU 95.181.172.100:55640 tcp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 105.209.201.84.in-addr.arpa udp
RU 95.181.172.100:55640 tcp
RU 95.181.172.100:55640 tcp
RU 95.181.172.100:55640 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
RU 95.181.172.100:55640 tcp
RU 95.181.172.100:55640 tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
RU 95.181.172.100:55640 tcp
RU 95.181.172.100:55640 tcp
RU 95.181.172.100:55640 tcp
RU 95.181.172.100:55640 tcp
RU 95.181.172.100:55640 tcp
RU 95.181.172.100:55640 tcp
RU 95.181.172.100:55640 tcp

Files

memory/1152-0-0x00000000748CE000-0x00000000748CF000-memory.dmp

memory/1152-1-0x00000000003F0000-0x000000000048A000-memory.dmp

memory/1152-2-0x0000000004E10000-0x0000000004E86000-memory.dmp

memory/1152-3-0x0000000004DB0000-0x0000000004DCE000-memory.dmp

memory/1152-4-0x00000000748C0000-0x0000000075070000-memory.dmp

memory/1152-5-0x0000000005630000-0x0000000005BD4000-memory.dmp

memory/3964-6-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\2DWwzYoIDsZeXAHrWMUgq7wH.exe.log

MD5 e5352797047ad2c91b83e933b24fbc4f
SHA1 9bf8ac99b6cbf7ce86ce69524c25e3df75b4d772
SHA256 b4643874d42d232c55bfbb75c36da41809d0c9ba4b2a203049aa82950345325c
SHA512 dd2fc1966c8b3c9511f14801d1ce8110d6bca276a58216b5eeb0a3cfbb0cc8137ea14efbf790e63736230141da456cbaaa4e5c66f2884d4cfe68f499476fd827

memory/1152-9-0x00000000748C0000-0x0000000075070000-memory.dmp

memory/3964-11-0x00000000058F0000-0x0000000005982000-memory.dmp

memory/3964-10-0x00000000748C0000-0x0000000075070000-memory.dmp

memory/3964-12-0x0000000006980000-0x0000000006F98000-memory.dmp

memory/3964-13-0x0000000005B20000-0x0000000005B32000-memory.dmp

memory/3964-14-0x0000000008200000-0x000000000830A000-memory.dmp

memory/3964-16-0x00000000067F0000-0x000000000682C000-memory.dmp

memory/3964-15-0x00000000748C0000-0x0000000075070000-memory.dmp

memory/3964-17-0x0000000006930000-0x000000000697C000-memory.dmp

memory/3964-18-0x00000000748C0000-0x0000000075070000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-10 12:03

Reported

2024-11-10 12:06

Platform

win7-20241010-en

Max time kernel

117s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0rr48RlGuyf8MbsABD4Fd5xg.exe"

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Z2bT94N_CMSE.Exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f781094.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\f781094.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f781094.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0rr48RlGuyf8MbsABD4Fd5xg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Z2bT94N_CMSE.Exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2288 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\0rr48RlGuyf8MbsABD4Fd5xg.exe C:\Windows\SysWOW64\mshta.exe
PID 2288 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\0rr48RlGuyf8MbsABD4Fd5xg.exe C:\Windows\SysWOW64\mshta.exe
PID 2288 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\0rr48RlGuyf8MbsABD4Fd5xg.exe C:\Windows\SysWOW64\mshta.exe
PID 2288 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\0rr48RlGuyf8MbsABD4Fd5xg.exe C:\Windows\SysWOW64\mshta.exe
PID 2408 wrote to memory of 2680 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\cmd.exe
PID 2408 wrote to memory of 2680 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\cmd.exe
PID 2408 wrote to memory of 2680 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\cmd.exe
PID 2408 wrote to memory of 2680 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\cmd.exe
PID 2680 wrote to memory of 2836 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\Z2bT94N_CMSE.Exe
PID 2680 wrote to memory of 2836 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\Z2bT94N_CMSE.Exe
PID 2680 wrote to memory of 2836 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\Z2bT94N_CMSE.Exe
PID 2680 wrote to memory of 2836 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\Z2bT94N_CMSE.Exe
PID 2680 wrote to memory of 2892 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2680 wrote to memory of 2892 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2680 wrote to memory of 2892 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2680 wrote to memory of 2892 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2836 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\Z2bT94N_CMSE.Exe C:\Windows\SysWOW64\mshta.exe
PID 2836 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\Z2bT94N_CMSE.Exe C:\Windows\SysWOW64\mshta.exe
PID 2836 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\Z2bT94N_CMSE.Exe C:\Windows\SysWOW64\mshta.exe
PID 2836 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\Z2bT94N_CMSE.Exe C:\Windows\SysWOW64\mshta.exe
PID 2696 wrote to memory of 2596 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\cmd.exe
PID 2696 wrote to memory of 2596 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\cmd.exe
PID 2696 wrote to memory of 2596 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\cmd.exe
PID 2696 wrote to memory of 2596 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\cmd.exe
PID 2836 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\Z2bT94N_CMSE.Exe C:\Windows\SysWOW64\rundll32.exe
PID 2836 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\Z2bT94N_CMSE.Exe C:\Windows\SysWOW64\rundll32.exe
PID 2836 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\Z2bT94N_CMSE.Exe C:\Windows\SysWOW64\rundll32.exe
PID 2836 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\Z2bT94N_CMSE.Exe C:\Windows\SysWOW64\rundll32.exe
PID 2836 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\Z2bT94N_CMSE.Exe C:\Windows\SysWOW64\rundll32.exe
PID 2836 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\Z2bT94N_CMSE.Exe C:\Windows\SysWOW64\rundll32.exe
PID 2836 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\Z2bT94N_CMSE.Exe C:\Windows\SysWOW64\rundll32.exe
PID 2624 wrote to memory of 2768 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f781094.exe
PID 2624 wrote to memory of 2768 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f781094.exe
PID 2624 wrote to memory of 2768 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f781094.exe
PID 2624 wrote to memory of 2768 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f781094.exe
PID 2768 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\f781094.exe C:\Windows\SysWOW64\WerFault.exe
PID 2768 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\f781094.exe C:\Windows\SysWOW64\WerFault.exe
PID 2768 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\f781094.exe C:\Windows\SysWOW64\WerFault.exe
PID 2768 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\f781094.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0rr48RlGuyf8MbsABD4Fd5xg.exe

"C:\Users\Admin\AppData\Local\Temp\0rr48RlGuyf8MbsABD4Fd5xg.exe"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" vBscrIpT: ClOsE ( CrEaTeobjeCt ( "WsCRIPt.SHELl" ). RUN( "cmD.EXe /C coPy /y ""C:\Users\Admin\AppData\Local\Temp\0rr48RlGuyf8MbsABD4Fd5xg.exe"" Z2bT94N_CMSE.Exe && START Z2Bt94N_cMSE.eXE -PMrvgB7ejl2YIjc3PC8aTZbo &IF """" == """" for %j iN ( ""C:\Users\Admin\AppData\Local\Temp\0rr48RlGuyf8MbsABD4Fd5xg.exe"" ) do taskkill -im ""%~NXj"" -f " , 0 , tRue ) )

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C coPy /y "C:\Users\Admin\AppData\Local\Temp\0rr48RlGuyf8MbsABD4Fd5xg.exe" Z2bT94N_CMSE.Exe && START Z2Bt94N_cMSE.eXE -PMrvgB7ejl2YIjc3PC8aTZbo&IF "" == "" for %j iN ( "C:\Users\Admin\AppData\Local\Temp\0rr48RlGuyf8MbsABD4Fd5xg.exe" ) do taskkill -im "%~NXj" -f

C:\Users\Admin\AppData\Local\Temp\Z2bT94N_CMSE.Exe

Z2Bt94N_cMSE.eXE -PMrvgB7ejl2YIjc3PC8aTZbo

C:\Windows\SysWOW64\taskkill.exe

taskkill -im "0rr48RlGuyf8MbsABD4Fd5xg.exe" -f

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" vBscrIpT: ClOsE ( CrEaTeobjeCt ( "WsCRIPt.SHELl" ). RUN( "cmD.EXe /C coPy /y ""C:\Users\Admin\AppData\Local\Temp\Z2bT94N_CMSE.Exe"" Z2bT94N_CMSE.Exe && START Z2Bt94N_cMSE.eXE -PMrvgB7ejl2YIjc3PC8aTZbo &IF ""-PMrvgB7ejl2YIjc3PC8aTZbo"" == """" for %j iN ( ""C:\Users\Admin\AppData\Local\Temp\Z2bT94N_CMSE.Exe"" ) do taskkill -im ""%~NXj"" -f " , 0 , tRue ) )

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C coPy /y "C:\Users\Admin\AppData\Local\Temp\Z2bT94N_CMSE.Exe" Z2bT94N_CMSE.Exe && START Z2Bt94N_cMSE.eXE -PMrvgB7ejl2YIjc3PC8aTZbo&IF "-PMrvgB7ejl2YIjc3PC8aTZbo" == "" for %j iN ( "C:\Users\Admin\AppData\Local\Temp\Z2bT94N_CMSE.Exe" ) do taskkill -im "%~NXj" -f

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" .\HwWYSzK.F2,zgr

C:\Users\Admin\AppData\Local\Temp\f781094.exe

"C:\Users\Admin\AppData\Local\Temp\f781094.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 532

Network

Country Destination Domain Proto
US 76.126.244.207:8080 tcp
US 76.126.244.207:8080 tcp

Files

\Users\Admin\AppData\Local\Temp\Z2bT94N_CMSE.Exe

MD5 3b4348d187f24c82370836531f3fa94e
SHA1 a2ca4e9f4a8d9c8634e42765e90e252803e20b15
SHA256 cd189a8c952420bf33b68cce03b41900e8c784b1010213b097ecdb2d7e8079f7
SHA512 2bab3c1e38a21cefc06363db75931bf3bfe0b4ee3f089293a750dfc866abc32c7135d2d9ba7ccb005aa01ad02d0a75a5fa02f85ca78cc8fe637615b7fa9e7394

C:\Users\Admin\AppData\Local\Temp\HwWYSzK.F2

MD5 8586e83a33f4c1b8d81f568155663be7
SHA1 95a37fbaeb58fafbe14dfae8f539aeff509efb1f
SHA256 85ec523c939d552531246b8fe2f795b4623e1108945824525d549fda22d2afb9
SHA512 51aafad0bc8cd058196c042dab1c000a62a13caeaf5e432e2e7c5f8452b36e4e3a64e66b0aa9a981979edacc37c581957448a00ac5bd154e8081c06eb0de442f

memory/2624-11-0x0000000000830000-0x0000000000977000-memory.dmp

memory/2624-12-0x0000000000830000-0x0000000000977000-memory.dmp

memory/2624-13-0x0000000003640000-0x00000000036F1000-memory.dmp

memory/2624-14-0x0000000000E90000-0x0000000000F2D000-memory.dmp

memory/2624-17-0x0000000000E90000-0x0000000000F2D000-memory.dmp

memory/2624-21-0x0000000000E90000-0x0000000000F2D000-memory.dmp

memory/2624-22-0x0000000003700000-0x0000000003FBE000-memory.dmp

memory/2624-23-0x0000000003FC0000-0x0000000004055000-memory.dmp

memory/2624-25-0x0000000004060000-0x00000000040F1000-memory.dmp

memory/2624-24-0x0000000004060000-0x00000000040F1000-memory.dmp

memory/2624-27-0x0000000004060000-0x00000000040F1000-memory.dmp

memory/2624-28-0x0000000000100000-0x0000000000101000-memory.dmp

memory/2624-30-0x0000000000100000-0x0000000000104000-memory.dmp

memory/2624-31-0x0000000000110000-0x0000000000116000-memory.dmp

\Users\Admin\AppData\Local\Temp\f781094.exe

MD5 858939a54a0406e5be7220b92b6eb2b3
SHA1 da24c0b6f723a74a8ec59e58c9c0aea3e86b7109
SHA256 a30f30a109cb78d5eb1969f6c13f01a1e0a5f07b7ad8b133f5d2616223c1ce0a
SHA512 8875d1e43ea59314695747796894a2f171e92f7b04024dbc529af1497331489e279cd06ea03061288089d2f07ad437178b9d62f0bae2e16ae0b95c5681569401

memory/2768-52-0x0000000000D60000-0x0000000000D68000-memory.dmp

Analysis: behavioral29

Detonation Overview

Submitted

2024-11-10 12:03

Reported

2024-11-10 12:06

Platform

win7-20240903-en

Max time kernel

147s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\A5ulgq_bFXMyWAYNZZbTBZ0Z.exe"

Signatures

Danabot

trojan banker danabot

Danabot Loader Component

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Danabot family

danabot

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\A5ulgq_bFXMyWAYNZZbTBZ0Z.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\A5ulgq_bFXMyWAYNZZbTBZ0Z.exe

"C:\Users\Admin\AppData\Local\Temp\A5ulgq_bFXMyWAYNZZbTBZ0Z.exe"

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\A5ULGQ~1.DLL,s C:\Users\Admin\AppData\Local\Temp\A5ULGQ~1.EXE

Network

Country Destination Domain Proto
US 23.229.29.48:443 tcp

Files

memory/2584-0-0x0000000003D90000-0x0000000003E7F000-memory.dmp

memory/2584-1-0x0000000003D90000-0x0000000003E7F000-memory.dmp

memory/2584-2-0x0000000003EC0000-0x0000000003FC6000-memory.dmp

memory/2584-3-0x0000000000400000-0x0000000000512000-memory.dmp

memory/2584-6-0x0000000003D90000-0x0000000003E7F000-memory.dmp

memory/2584-7-0x0000000003EC0000-0x0000000003FC6000-memory.dmp

memory/2584-9-0x0000000000400000-0x0000000000512000-memory.dmp

memory/2584-8-0x0000000000400000-0x000000000248D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A5ULGQ~1.DLL

MD5 e1c44798064648b72e1a9c8c1b8050a9
SHA1 9059446fce02a29bbd7fdcb551b2cb1da42983c3
SHA256 74b41b170ecc051bf35111a54c94e677a753b84d333d3c57720b14353392b03b
SHA512 b5dcf42889fcce21085228c4d7cff3dfa2e71ca131f4b01794683b02286c55652a978de88e9e86d3b97a24e20ad2eeb3a91b7b7a8bf1cc1ce634a97713b124ab

memory/2828-20-0x0000000001F90000-0x00000000020F1000-memory.dmp

memory/2584-21-0x0000000000400000-0x000000000248D000-memory.dmp

memory/2828-22-0x0000000001F90000-0x00000000020F1000-memory.dmp

memory/2584-35-0x0000000000400000-0x0000000000512000-memory.dmp

memory/2584-34-0x0000000000400000-0x000000000248D000-memory.dmp

memory/2828-38-0x0000000001F90000-0x00000000020F1000-memory.dmp

memory/2828-39-0x0000000001F90000-0x00000000020F1000-memory.dmp

Analysis: behavioral32

Detonation Overview

Submitted

2024-11-10 12:03

Reported

2024-11-10 12:06

Platform

win10v2004-20241007-en

Max time kernel

92s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\AU3ie6Mv1vmus72LuhNF2jzZ.exe"

Signatures

SmokeLoader

trojan backdoor smokeloader

Smokeloader family

smokeloader

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 5044 set thread context of 1968 N/A C:\Users\Admin\AppData\Local\Temp\AU3ie6Mv1vmus72LuhNF2jzZ.exe C:\Users\Admin\AppData\Local\Temp\AU3ie6Mv1vmus72LuhNF2jzZ.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\AU3ie6Mv1vmus72LuhNF2jzZ.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\AU3ie6Mv1vmus72LuhNF2jzZ.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\AU3ie6Mv1vmus72LuhNF2jzZ.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\AU3ie6Mv1vmus72LuhNF2jzZ.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\AU3ie6Mv1vmus72LuhNF2jzZ.exe

"C:\Users\Admin\AppData\Local\Temp\AU3ie6Mv1vmus72LuhNF2jzZ.exe"

C:\Users\Admin\AppData\Local\Temp\AU3ie6Mv1vmus72LuhNF2jzZ.exe

"C:\Users\Admin\AppData\Local\Temp\AU3ie6Mv1vmus72LuhNF2jzZ.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

memory/5044-1-0x0000000002430000-0x0000000002530000-memory.dmp

memory/5044-2-0x00000000040F0000-0x00000000040FA000-memory.dmp

memory/1968-3-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1968-4-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1968-7-0x0000000000400000-0x0000000000409000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-11-10 12:03

Reported

2024-11-10 12:06

Platform

win10v2004-20241007-en

Max time kernel

92s

Max time network

135s

Command Line

"C:\Users\Admin\AppData\Local\Temp\21oenuW1qnqk7qUsHH7Z2We5.exe"

Signatures

SmokeLoader

trojan backdoor smokeloader

Smokeloader family

smokeloader

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\21oenuW1qnqk7qUsHH7Z2We5.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\21oenuW1qnqk7qUsHH7Z2We5.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\21oenuW1qnqk7qUsHH7Z2We5.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\21oenuW1qnqk7qUsHH7Z2We5.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\21oenuW1qnqk7qUsHH7Z2We5.exe

"C:\Users\Admin\AppData\Local\Temp\21oenuW1qnqk7qUsHH7Z2We5.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3188 -ip 3188

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3188 -s 356

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 70.208.201.84.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp

Files

memory/3188-1-0x0000000002750000-0x0000000002850000-memory.dmp

memory/3188-2-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3188-3-0x0000000000400000-0x00000000023AE000-memory.dmp

memory/3188-6-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3188-5-0x0000000000400000-0x00000000023AE000-memory.dmp

Analysis: behavioral17

Detonation Overview

Submitted

2024-11-10 12:03

Reported

2024-11-10 12:07

Platform

win7-20241010-en

Max time kernel

122s

Max time network

131s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6K69WRpYoPgt3vIoWRXmpAwA.exe"

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6K69WRpYoPgt3vIoWRXmpAwA.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6K69WRpYoPgt3vIoWRXmpAwA.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6K69WRpYoPgt3vIoWRXmpAwA.exe

"C:\Users\Admin\AppData\Local\Temp\6K69WRpYoPgt3vIoWRXmpAwA.exe"

C:\Users\Admin\AppData\Local\Temp\6K69WRpYoPgt3vIoWRXmpAwA.exe

"C:\Users\Admin\AppData\Local\Temp\6K69WRpYoPgt3vIoWRXmpAwA.exe" -q

Network

N/A

Files

N/A