Malware Analysis Report

2025-01-03 06:23

Sample ID 241120-ly8njawbjq
Target Image_processed_by_Vidnoz.png⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀.exe
SHA256 106b8ab5586be4278c912337bffd6800d9ac4f9ef70b719cbe18720c3665f8a6
Tags
asyncrat stormkitty discovery persistence rat stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

106b8ab5586be4278c912337bffd6800d9ac4f9ef70b719cbe18720c3665f8a6

Threat Level: Known bad

The file Image_processed_by_Vidnoz.png⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀.exe was found to be: Known bad.

Malicious Activity Summary

asyncrat stormkitty discovery persistence rat stealer

Stormkitty family

AsyncRat

StormKitty payload

Asyncrat family

StormKitty

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Suspicious use of SetThreadContext

Program crash

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-20 09:57

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-20 09:57

Reported

2024-11-20 10:03

Platform

win11-20241007-en

Max time kernel

92s

Max time network

204s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Image_processed_by_Vidnoz.png⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀��.exe"

Signatures

AsyncRat

rat asyncrat

Asyncrat family

asyncrat

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Stormkitty family

stormkitty

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\eccbd1059c11c11329dc1f625b6afd2d\Image.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Windows\CurrentVersion\Run\Image = "cmd.exe /C start \"\" /D \"C:\\Users\\Admin\\Document\" \"C:\\Users\\Admin\\Document\\Image.exe\"" C:\Users\Admin\AppData\Local\Temp\eccbd1059c11c11329dc1f625b6afd2d\Image.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2020 set thread context of 5636 N/A C:\Users\Admin\AppData\Local\Temp\eccbd1059c11c11329dc1f625b6afd2d\Image.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A
Token: 34 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A
Token: 35 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A
Token: 36 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A
Token: 34 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A
Token: 35 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A
Token: 36 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 6068 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\Image_processed_by_Vidnoz.png⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀��.exe C:\Users\Admin\AppData\Local\Temp\eccbd1059c11c11329dc1f625b6afd2d\Image.exe
PID 6068 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\Image_processed_by_Vidnoz.png⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀��.exe C:\Users\Admin\AppData\Local\Temp\eccbd1059c11c11329dc1f625b6afd2d\Image.exe
PID 2020 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\eccbd1059c11c11329dc1f625b6afd2d\Image.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 2020 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\eccbd1059c11c11329dc1f625b6afd2d\Image.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 2020 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\eccbd1059c11c11329dc1f625b6afd2d\Image.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 2020 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\eccbd1059c11c11329dc1f625b6afd2d\Image.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 2020 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\eccbd1059c11c11329dc1f625b6afd2d\Image.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 2020 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\eccbd1059c11c11329dc1f625b6afd2d\Image.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 2020 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\eccbd1059c11c11329dc1f625b6afd2d\Image.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 2020 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\eccbd1059c11c11329dc1f625b6afd2d\Image.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 2020 wrote to memory of 5636 N/A C:\Users\Admin\AppData\Local\Temp\eccbd1059c11c11329dc1f625b6afd2d\Image.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 2020 wrote to memory of 5636 N/A C:\Users\Admin\AppData\Local\Temp\eccbd1059c11c11329dc1f625b6afd2d\Image.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 2020 wrote to memory of 5636 N/A C:\Users\Admin\AppData\Local\Temp\eccbd1059c11c11329dc1f625b6afd2d\Image.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 2020 wrote to memory of 5636 N/A C:\Users\Admin\AppData\Local\Temp\eccbd1059c11c11329dc1f625b6afd2d\Image.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 2020 wrote to memory of 5636 N/A C:\Users\Admin\AppData\Local\Temp\eccbd1059c11c11329dc1f625b6afd2d\Image.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 2020 wrote to memory of 5636 N/A C:\Users\Admin\AppData\Local\Temp\eccbd1059c11c11329dc1f625b6afd2d\Image.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 2020 wrote to memory of 5636 N/A C:\Users\Admin\AppData\Local\Temp\eccbd1059c11c11329dc1f625b6afd2d\Image.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 2020 wrote to memory of 5636 N/A C:\Users\Admin\AppData\Local\Temp\eccbd1059c11c11329dc1f625b6afd2d\Image.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Image_processed_by_Vidnoz.png⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀��.exe

"C:\Users\Admin\AppData\Local\Temp\Image_processed_by_Vidnoz.png⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀��.exe"

C:\Users\Admin\AppData\Local\Temp\eccbd1059c11c11329dc1f625b6afd2d\Image.exe

C:\Users\Admin\AppData\Local\Temp\eccbd1059c11c11329dc1f625b6afd2d\Image.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5636 -ip 5636

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5636 -s 1304

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\eccbd1059c11c11329dc1f625b6afd2d\Image.exe

MD5 25ab75a586f4b22ebae81e74b20bfee9
SHA1 97f52704adbbd42f1c6415f565241ba1521c450f
SHA256 14a4044215f341ba1ece3e49d475e309749b65c8959f2724d26209ed705a225a
SHA512 cfa18fcccdeb95450f9ddb24dd620edca3faec765d339395884bcd2369783e37fd41ab3923a2d7439512670eb9389555dfc5a72adb725c818d2a5f4ea5154f7c

C:\Users\Admin\AppData\Local\Temp\eccbd1059c11c11329dc1f625b6afd2d\Qt5Core.dll

MD5 81dfc4d19287e5a20ea735c996f31e79
SHA1 4549705d9577d8412650e75a450b87b6f41d6bda
SHA256 9bf148b63984bda3e68c853064974661b191adaa38a813d722ed0c6e843e92b5
SHA512 5283d91d17ea63229159e7a8c3765369fd08334084c0cb89aacae6087c186b7af8bbc5f05b2d690f93fb76c8336e120fae3f6ff6bb05a86a8e010c7de38e4fd0

C:\Users\Admin\AppData\Local\Temp\eccbd1059c11c11329dc1f625b6afd2d\MSVCP140.dll

MD5 29c6c243cfb1cec96b4a1008274f9600
SHA1 c54b10ef6305cc3814c68e6c8fd6daecbb27622a
SHA256 44a5af24f8d5f9c50a9e5a200a0486100afb6a0e86377e2e3e622a7bbb57cb04
SHA512 39c34554ea7b6d433c2aecfdeff87959e625e943bf7a446ebca8e5878eaf24198c1b188359a0343fb78478f2bc8b986ca4d0e69d39bac6ff80cb901fe4f113ee

C:\Users\Admin\AppData\Local\Temp\eccbd1059c11c11329dc1f625b6afd2d\VCRUNTIME140.dll

MD5 02794a29811ba0a78e9687a0010c37ce
SHA1 97b5701d18bd5e25537851614099e2ffce25d6d8
SHA256 1729421a22585823493d5a125cd43a470889b952a2422f48a7bc8193f5c23b0f
SHA512 caf2a478e9c78c8e93dd2288ed98a9261fcf2b7e807df84f2e4d76f8130c2e503eb2470c947a678ac63e59d7d54f74e80e743d635428aa874ec2d06df68d0272

C:\Users\Admin\AppData\Local\Temp\eccbd1059c11c11329dc1f625b6afd2d\VCRUNTIME140_1.dll

MD5 d8d1a08176ba2542c58669c1c04da1b7
SHA1 e0d0059baf23fb5e1d2dadedc12e2f53c930256d
SHA256 26c29d01df73a8e35d32e430c892d925abb6e4ad62d3630ae42b69daacba1a0d
SHA512 5308790fbcf6348e87e7d5b9235ed66942527326f7ba556c910d68d94617bdd247a4ed540b4b9f8d4e73d15cf4a7204c0a57d4fd348ec26e53f39b91be8617fb

C:\Users\Admin\AppData\Local\Temp\eccbd1059c11c11329dc1f625b6afd2d\concrt140e.dll

MD5 40059b087a7e9e13a994061f792ee0f4
SHA1 61622bbc8969b2da776bb13519c414114f232c8a
SHA256 c0e2767ff31b0f4702fea6f34c1502a3150a23b5c2222f67045c12613b9fe379
SHA512 5190ccb2ec91b5af0e9a10531b5c2a3c82e316388d26811fae4261402f633aa4e391813a71104dc170f97fad3e09ebabaa584cf8756056a915b593b61832d0cc

C:\Users\Admin\AppData\Local\Temp\eccbd1059c11c11329dc1f625b6afd2d\api-ms-win-crt-conio-l1-1-0.dll

MD5 fa770bcd70208a479bde8086d02c22da
SHA1 28ee5f3ce3732a55ca60aee781212f117c6f3b26
SHA256 e677497c1baefffb33a17d22a99b76b7fa7ae7a0c84e12fda27d9be5c3d104cf
SHA512 f8d81e350cebdba5afb579a072bad7986691e9f3d4c9febca8756b807301782ee6eb5ba16b045cfa29b6e4f4696e0554c718d36d4e64431f46d1e4b1f42dc2b8

C:\Users\Admin\AppData\Local\Temp\eccbd1059c11c11329dc1f625b6afd2d\api-ms-win-crt-convert-l1-1-0.dll

MD5 4ec4790281017e616af632da1dc624e1
SHA1 342b15c5d3e34ab4ac0b9904b95d0d5b074447b7
SHA256 5cf5bbb861608131b5f560cbf34a3292c80886b7c75357acc779e0bf98e16639
SHA512 80c4e20d37eff29c7577b2d0ed67539a9c2c228edb48ab05d72648a6ed38f5ff537715c130342beb0e3ef16eb11179b9b484303354a026bda3a86d5414d24e69

C:\Users\Admin\AppData\Local\Temp\eccbd1059c11c11329dc1f625b6afd2d\api-ms-win-crt-environment-l1-1-0.dll

MD5 7a859e91fdcf78a584ac93aa85371bc9
SHA1 1fa9d9cad7cc26808e697373c1f5f32aaf59d6b7
SHA256 b7ee468f5b6c650dada7db3ad9e115a0e97135b3df095c3220dfd22ba277b607
SHA512 a368f21eca765afca86e03d59cf953500770f4a5bff8b86b2ac53f1b5174c627e061ce9a1f781dc56506774e0d0b09725e9698d4dc2d3a59e93da7ef3d900887

C:\Users\Admin\AppData\Local\Temp\eccbd1059c11c11329dc1f625b6afd2d\api-ms-win-crt-filesystem-l1-1-0.dll

MD5 972544ade7e32bfdeb28b39bc734cdee
SHA1 87816f4afabbdec0ec2cfeb417748398505c5aa9
SHA256 7102f8d9d0f3f689129d7fe071b234077fba4dd3687071d1e2aeaa137b123f86
SHA512 5e1131b405e0c7a255b1c51073aff99e2d5c0d28fd3e55cabc04d463758a575a954008ea1ba5b4e2b345b49af448b93ad21dfc4a01573b3cb6e7256d9ecceef1

C:\Users\Admin\AppData\Local\Temp\eccbd1059c11c11329dc1f625b6afd2d\api-ms-win-crt-heap-l1-1-0.dll

MD5 8906279245f7385b189a6b0b67df2d7c
SHA1 fcf03d9043a2daafe8e28dee0b130513677227e4
SHA256 f5183b8d7462c01031992267fe85680ab9c5b279bedc0b25ab219f7c2184766f
SHA512 67cac89ae58cc715976107f3bdf279b1e78945afd07e6f657e076d78e92ee1a98e3e7b8feae295af5ce35e00c804f3f53a890895badb1eed32377d85c21672b9

C:\Users\Admin\AppData\Local\Temp\eccbd1059c11c11329dc1f625b6afd2d\api-ms-win-crt-locale-l1-1-0.dll

MD5 dd8176e132eedea3322443046ac35ca2
SHA1 d13587c7cc52b2c6fbcaa548c8ed2c771a260769
SHA256 2eb96422375f1a7b687115b132a4005d2e7d3d5dc091fb0eb22a6471e712848e
SHA512 77cb8c44c8cc8dd29997fba4424407579ac91176482db3cf7bc37e1f9f6aa4c4f5ba14862d2f3a9c05d1fdd7ca5a043b5f566bd0e9a9e1ed837da9c11803b253

C:\Users\Admin\AppData\Local\Temp\eccbd1059c11c11329dc1f625b6afd2d\api-ms-win-crt-math-l1-1-0.dll

MD5 a6a3d6d11d623e16866f38185853facd
SHA1 fbeadd1e9016908ecce5753de1d435d6fcf3d0b5
SHA256 a768339f0b03674735404248a039ec8591fcba6ff61a3c6812414537badd23b0
SHA512 abbf32ceb35e5ec6c1562f9f3b2652b96b7dbd97bfc08d918f987c0ec0503e8390dd697476b2a2389f0172cd8cf16029fd2ec5f32a9ba3688bf2ebeefb081b2c

C:\Users\Admin\AppData\Local\Temp\eccbd1059c11c11329dc1f625b6afd2d\api-ms-win-crt-multibyte-l1-1-0.dll

MD5 b5c8af5badcdefd8812af4f63364fe2b
SHA1 750678935010a83e2d83769445f0d249e4568a8d
SHA256 7101b3dff525ea47b7a40dd96544c944ae400447df7a6acd07363b6d7968b889
SHA512 a2a8d08d658f5ed368f9fb556bfb13b897f31e9540bfdfff6567826614d6c5f0d64bd08fec66c63e74d852ab6b083294e187507e83f2bc284dfb7ca5c86ae047

C:\Users\Admin\AppData\Local\Temp\eccbd1059c11c11329dc1f625b6afd2d\api-ms-win-crt-private-l1-1-0.dll

MD5 d76e7aaecb3d1ca9948c31bdae52eb9d
SHA1 142a2bb0084faa2a25d0028846921545f09d9ae9
SHA256 785c49fd9f99c6eb636d78887aa186233e9304921dd835dee8f72e2609ff65c4
SHA512 52da403286659cf201c72fa0ab3c506ade86c7e2fef679f35876a5cec4aee97afbc5bb13a259c51efb8706f6ae7f5a6a3800176b89f424b6a4e9f3d5b8289620

C:\Users\Admin\AppData\Local\Temp\eccbd1059c11c11329dc1f625b6afd2d\api-ms-win-crt-runtime-l1-1-0.dll

MD5 f1a23c251fcbb7041496352ec9bcffbe
SHA1 be4a00642ec82465bc7b3d0cc07d4e8df72094e8
SHA256 d899c2f061952b3b97ab9cdbca2450290b0f005909ddd243ed0f4c511d32c198
SHA512 31f8c5cd3b6e153073e2e2edf0ca8072d0f787784f1611a57219349c1d57d6798a3adbd6942b0f16cef781634dd8691a5ec0b506df21b24cb70aee5523a03fd9

C:\Users\Admin\AppData\Local\Temp\eccbd1059c11c11329dc1f625b6afd2d\api-ms-win-crt-process-l1-1-0.dll

MD5 074b81a625fb68159431bb556d28fab5
SHA1 20f8ead66d548cfa861bc366bb1250ced165be24
SHA256 3af38920e767bd9ebc08f88eaf2d08c748a267c7ec60eab41c49b3f282a4cf65
SHA512 36388c3effa0d94cf626decaa1da427801cc5607a2106abdadf92252c6f6fd2ce5bf0802f5d0a4245a1ffdb4481464c99d60510cf95e83ebaf17bd3d6acbc3dc

C:\Users\Admin\AppData\Local\Temp\eccbd1059c11c11329dc1f625b6afd2d\api-ms-win-crt-stdio-l1-1-0.dll

MD5 55b2eb7f17f82b2096e94bca9d2db901
SHA1 44d85f1b1134ee7a609165e9c142188c0f0b17e0
SHA256 f9d3f380023a4c45e74170fe69b32bca506ee1e1fbe670d965d5b50c616da0cb
SHA512 0cf0770f5965a83f546253decfa967d8f85c340b5f6ea220d3caa14245f3cdb37c53bf8d3da6c35297b22a3fa88e7621202634f6b3649d7d9c166a221d3456a5

C:\Users\Admin\AppData\Local\Temp\eccbd1059c11c11329dc1f625b6afd2d\api-ms-win-crt-string-l1-1-0.dll

MD5 9b79965f06fd756a5efde11e8d373108
SHA1 3b9de8bf6b912f19f7742ad34a875cbe2b5ffa50
SHA256 1a916c0db285deb02c0b9df4d08dad5ea95700a6a812ea067bd637a91101a9f6
SHA512 7d4155c00d65c3554e90575178a80d20dc7c80d543c4b5c4c3f508f0811482515638fe513e291b82f958b4d7a63c9876be4e368557b07ff062961197ed4286fb

C:\Users\Admin\AppData\Local\Temp\eccbd1059c11c11329dc1f625b6afd2d\api-ms-win-crt-time-l1-1-0.dll

MD5 1d48a3189a55b632798f0e859628b0fb
SHA1 61569a8e4f37adc353986d83efc90dc043cdc673
SHA256 b56bc94e8539603dd2f0fea2f25efd17966315067442507db4bffafcbc2955b0
SHA512 47f329102b703bfbb1ebaeb5203d1c8404a0c912019193c93d150a95bb0c5ba8dc101ac56d3283285f9f91239fc64a66a5357afe428a919b0be7194bada1f64f

C:\Users\Admin\AppData\Local\Temp\eccbd1059c11c11329dc1f625b6afd2d\api-ms-win-crt-utility-l1-1-0.dll

MD5 dbc27d384679916ba76316fb5e972ea6
SHA1 fb9f021f2220c852f6ff4ea94e8577368f0616a4
SHA256 dd14133adf5c534539298422f6c4b52739f80aca8c5a85ca8c966dea9964ceb1
SHA512 cc0d8c56749ccb9d007b6d3f5c4a8f1d4e368bb81446ebcd7cc7b40399bbd56d0acaba588ca172ecb7472a8cbddbd4c366ffa38094a832f6d7e343b813ba565e

C:\Users\Admin\AppData\Local\Temp\eccbd1059c11c11329dc1f625b6afd2d\concrt140.dll

MD5 8e658a8572dbe14ea8af0420d7238a13
SHA1 121695b55a4c920a23f52c3a0f34db289342c800
SHA256 8330266110921bd09707b5e1dd5e78b26c43a7c90fa3851cd890a9a95b59cb43
SHA512 f4212fad6c057633f6ba177b9fcf83f3ab4b3805970da1cdefe756f5456ff9ed69a56cd47cfadffd79d8320a3e8c9d73522b7f613f2fe02bcd3aac19f5099b78

C:\Users\Admin\AppData\Local\Temp\eccbd1059c11c11329dc1f625b6afd2d\libcueify.dll

MD5 506d7cf2810e4d3ff7e50ee7c71b62d0
SHA1 aba5e009696554ca768211f2f906f00c81fa6a38
SHA256 a43722085c8c223aeefe3779bf3242cd69b1e80765ffce03d228c72dd2d6aae5
SHA512 82965bd4b2263d878e99fe51d57f4895f036db847e14033224a8ba54c631a538d92e83aaa54f2eb1697ad4aff4a025017e06cc0d0f40f3e2909c920646de5fee

C:\Users\Admin\AppData\Local\Temp\eccbd1059c11c11329dc1f625b6afd2d\msvcp140_codecvt_ids.dll

MD5 9e2c3f3f64d1dc9c9250b57e9aba9c65
SHA1 01b5ba668fe14d1ef2cbc11f4c7b1e1637dd8191
SHA256 72cf299b6202746283aa34a24a09e4a379f1c55b204c45051c25806831231d30
SHA512 cca38e3c51a1b9d94666208dac643d45cdf62845d9c4c9b00a92385d0a8237e1b4bfdf56627b2bd9a3a0207d9fbcf90aa6a2a8dab7b85fd84ce363b514e31f1f

C:\Users\Admin\AppData\Local\Temp\eccbd1059c11c11329dc1f625b6afd2d\msvcp140_atomic_wait.dll

MD5 b0b12a70523474dfa921cfab93b3b4d1
SHA1 b32bd6e6cee84d782c37a58837e5134614148ad7
SHA256 5f7f53042fb676ce44b5ac727aad4b455406f468386002be58d0a921ab8e6b60
SHA512 96c717a895100cf7b478746de71598c83c7c24689fdf0dc2d01db92acde9fc4cd73a28072654b32001302421e7c60edc0ea04a298a4fbf6790cd5542aa104fa9

C:\Users\Admin\AppData\Local\Temp\eccbd1059c11c11329dc1f625b6afd2d\msvcp140_2.dll

MD5 e295254863c16050233c102baea803d9
SHA1 4aed63d2e75c034569107564d9d62b30deaf7f78
SHA256 d4579c608880afefccdcaa40b392bca578c7d29a1fa2bec592e2fa5615e598a8
SHA512 f68161e8913d91fb9d66c7514889cb6e73b98bbfa4840200c32915d3620ea3904a2e869d160c079b33ec307a8a9507149db648b22931f28c31ada202e7bfce5e

C:\Users\Admin\AppData\Local\Temp\eccbd1059c11c11329dc1f625b6afd2d\msvcp140_1.dll

MD5 be0a66fb57f23c904f3ed2bb14dac688
SHA1 78dbb1de942f35e81154339ae1e8e4cedc2e5dad
SHA256 6599ae8785f4ce2fe28ceb2c313e418ae690a72bbff74d120f8c8f54cf7ff7f3
SHA512 d23d03e8c89cada02734331337cf8a86b7ae26b03c6ee0515855061efecfd093663a96a4115b1f6614f3304cd32b45ebfeb65dada11cdd1a468c8026e870106b

C:\Users\Admin\AppData\Local\Temp\eccbd1059c11c11329dc1f625b6afd2d\vcomp140.dll

MD5 5135a292d5762ecc7577b90fbf4189eb
SHA1 7f9c0c4a1f08e458857bebd1bbcd84b8f6d0b7d0
SHA256 def922f1fce75c46765e04daa5a598e77c941f001481da9f0dc9b47ca8570a8e
SHA512 fa3cd95cec8a73fc560f536e9c7e41cea7af6b96258e1381a2a140f9b609be7cd7843da849977b436beb9760924a5b70d97373c0816f4fd56f501d5f4fd511ff

C:\Users\Admin\AppData\Local\Temp\eccbd1059c11c11329dc1f625b6afd2d\ucrtbase.dll

MD5 849959a003fa63c5a42ae87929fcd18b
SHA1 d1b80b3265e31a2b5d8d7da6183146bbd5fb791b
SHA256 6238cbfe9f57c142b75e153c399c478d492252fda8cb40ee539c2dcb0f2eb232
SHA512 64958dabdb94d21b59254c2f074db5d51e914ddbc8437452115dff369b0c134e50462c3fdbbc14b6fa809a6ee19ab2fb83d654061601cc175cddcb7d74778e09

memory/5636-96-0x0000000000400000-0x000000000064A000-memory.dmp

memory/5636-97-0x000000007498E000-0x000000007498F000-memory.dmp

memory/5636-98-0x00000000061D0000-0x0000000006776000-memory.dmp

memory/5636-100-0x0000000074980000-0x0000000075131000-memory.dmp

memory/5636-101-0x00000000059D0000-0x0000000005A36000-memory.dmp

memory/5636-102-0x0000000074980000-0x0000000075131000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-20 09:57

Reported

2024-11-20 10:03

Platform

win10v2004-20241007-en

Max time kernel

270s

Max time network

204s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Image_processed_by_Vidnoz.png⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀��.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\Image_processed_by_Vidnoz.png⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀��.exe

"C:\Users\Admin\AppData\Local\Temp\Image_processed_by_Vidnoz.png⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀��.exe"

C:\Users\Admin\AppData\Local\Temp\ab1d9672ee1938b18f747ca12ae0afd9\Image.exe

C:\Users\Admin\AppData\Local\Temp\ab1d9672ee1938b18f747ca12ae0afd9\Image.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 101.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 133.130.81.91.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\ab1d9672ee1938b18f747ca12ae0afd9\Image.exe

MD5 25ab75a586f4b22ebae81e74b20bfee9
SHA1 97f52704adbbd42f1c6415f565241ba1521c450f
SHA256 14a4044215f341ba1ece3e49d475e309749b65c8959f2724d26209ed705a225a
SHA512 cfa18fcccdeb95450f9ddb24dd620edca3faec765d339395884bcd2369783e37fd41ab3923a2d7439512670eb9389555dfc5a72adb725c818d2a5f4ea5154f7c

C:\Users\Admin\AppData\Local\Temp\ab1d9672ee1938b18f747ca12ae0afd9\Qt5Core.dll

MD5 81dfc4d19287e5a20ea735c996f31e79
SHA1 4549705d9577d8412650e75a450b87b6f41d6bda
SHA256 9bf148b63984bda3e68c853064974661b191adaa38a813d722ed0c6e843e92b5
SHA512 5283d91d17ea63229159e7a8c3765369fd08334084c0cb89aacae6087c186b7af8bbc5f05b2d690f93fb76c8336e120fae3f6ff6bb05a86a8e010c7de38e4fd0

C:\Users\Admin\AppData\Local\Temp\ab1d9672ee1938b18f747ca12ae0afd9\MSVCP140.dll

MD5 29c6c243cfb1cec96b4a1008274f9600
SHA1 c54b10ef6305cc3814c68e6c8fd6daecbb27622a
SHA256 44a5af24f8d5f9c50a9e5a200a0486100afb6a0e86377e2e3e622a7bbb57cb04
SHA512 39c34554ea7b6d433c2aecfdeff87959e625e943bf7a446ebca8e5878eaf24198c1b188359a0343fb78478f2bc8b986ca4d0e69d39bac6ff80cb901fe4f113ee

C:\Users\Admin\AppData\Local\Temp\ab1d9672ee1938b18f747ca12ae0afd9\vcruntime140_1.dll

MD5 d8d1a08176ba2542c58669c1c04da1b7
SHA1 e0d0059baf23fb5e1d2dadedc12e2f53c930256d
SHA256 26c29d01df73a8e35d32e430c892d925abb6e4ad62d3630ae42b69daacba1a0d
SHA512 5308790fbcf6348e87e7d5b9235ed66942527326f7ba556c910d68d94617bdd247a4ed540b4b9f8d4e73d15cf4a7204c0a57d4fd348ec26e53f39b91be8617fb

C:\Users\Admin\AppData\Local\Temp\ab1d9672ee1938b18f747ca12ae0afd9\vcruntime140.dll

MD5 02794a29811ba0a78e9687a0010c37ce
SHA1 97b5701d18bd5e25537851614099e2ffce25d6d8
SHA256 1729421a22585823493d5a125cd43a470889b952a2422f48a7bc8193f5c23b0f
SHA512 caf2a478e9c78c8e93dd2288ed98a9261fcf2b7e807df84f2e4d76f8130c2e503eb2470c947a678ac63e59d7d54f74e80e743d635428aa874ec2d06df68d0272