Analysis Overview
SHA256
8d82945bd5782a593aa632fdb3fe3b651893e434545b8c22e4576b3a2a0248d8
Threat Level: Known bad
The file 8d82945bd5782a593aa632fdb3fe3b651893e434545b8c22e4576b3a2a0248d8 was found to be: Known bad.
Malicious Activity Summary
Xloader
Agenttesla family
Purecrypter family
WarzoneRat, AveMaria
AgentTesla
Warzonerat family
PureCrypter
Xloader family
AgentTesla payload
Xloader payload
Warzone RAT payload
Drops file in Drivers directory
Executes dropped EXE
Reads user/profile data of web browsers
Reads user/profile data of local email clients
Reads WinSCP keys stored on the system
Loads dropped DLL
Reads data files stored by FTP clients
Unsecured Credentials: Credentials In Files
Accesses Microsoft Outlook profiles
Adds Run key to start application
Power Settings
Suspicious use of SetThreadContext
Enumerates physical storage devices
Unsigned PE
Program crash
System Location Discovery: System Language Discovery
NSIS installer
Suspicious behavior: MapViewOfSection
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
outlook_win_path
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-21 20:01
Signatures
Purecrypter family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral11
Detonation Overview
Submitted
2024-11-21 20:01
Reported
2024-11-21 20:04
Platform
win7-20240708-en
Max time kernel
118s
Max time network
120s
Command Line
Signatures
WarzoneRat, AveMaria
Warzonerat family
Warzone RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cucacm.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cucacm.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDERSR1083004 Al Hitmi Fox Hills Residential MUE0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cucacm.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\nrcehddkx = "C:\\Users\\Admin\\AppData\\Roaming\\ckalk\\orwxcwhslf.exe" | C:\Users\Admin\AppData\Local\Temp\cucacm.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\cucacm.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDERSR1083004 Al Hitmi Fox Hills Residential MUE0.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\cucacm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\cucacm.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDERSR1083004 Al Hitmi Fox Hills Residential MUE0.exe
"C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDERSR1083004 Al Hitmi Fox Hills Residential MUE0.exe"
C:\Users\Admin\AppData\Local\Temp\cucacm.exe
C:\Users\Admin\AppData\Local\Temp\cucacm.exe C:\Users\Admin\AppData\Local\Temp\bjyydoipe
C:\Users\Admin\AppData\Local\Temp\cucacm.exe
C:\Users\Admin\AppData\Local\Temp\cucacm.exe C:\Users\Admin\AppData\Local\Temp\bjyydoipe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1712 -s 200
Network
Files
\Users\Admin\AppData\Local\Temp\cucacm.exe
| MD5 | 0bb7c6c0a98823d2add4de29846ef777 |
| SHA1 | b4d39b7a0faa45f1892ea4faa4c9fd57977d0fb6 |
| SHA256 | 0db9ef4a094cc5597c748c3f83d35287000d1b2519ae092c85f9c5f4ec5cf42a |
| SHA512 | e69d3df91eee94cb10a0ace66e29c3e66b39df9c8679ad485af5a825d8c052a6d49b6718c9a03920dcd9609b4c0f095542606fc400afe973e596402ba63a7d21 |
memory/2352-9-0x00000000005A0000-0x00000000005A2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\pj97qgwmrec6zq
| MD5 | 3de61fc0d9edc15c8920851bb741630e |
| SHA1 | 4e2cab6c32aa3340d1e16e83f3bc786c8b6d414e |
| SHA256 | 19a3867640f40922fac213e0bffeb041ef8f3f584fc3c50c7ad00c621998408b |
| SHA512 | ea1e9eccbd1ad18999a6f75e0f824b28fe452d145633df72c03e8079bda8b2d2ed59360bac21f175c54e8fd2cafd436a99b679b281a9db2f1a0018961a6d2281 |
C:\Users\Admin\AppData\Local\Temp\bjyydoipe
| MD5 | cc4686355c8ec136f2ddfe449c7c125b |
| SHA1 | 4c6117b697941280e7b5cfa92c043ea9cbdff78b |
| SHA256 | cbc951f59f2bf791e4a83d4721b9feb5002ad8de5167dbbddf4a69f7c1fb34db |
| SHA512 | 3f9ab318e0a8d30356e21156ee21a202ab0de5cb584e67a74f35556e21d7e6e1bb6c3c6056ba7f2a31241ef7ce805afa581c629534368ed15986de17fa4e81ef |
memory/1712-13-0x00000000001C0000-0x0000000000314000-memory.dmp
memory/1712-20-0x00000000001C0000-0x0000000000314000-memory.dmp
memory/1712-25-0x00000000001C0000-0x0000000000314000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-21 20:01
Reported
2024-11-21 20:04
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
154s
Command Line
Signatures
Xloader
Xloader family
Xloader payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Power Settings
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 32 set thread context of 1012 | N/A | C:\Users\Admin\AppData\Local\Temp\CATALOGO CAMPIONI2022 IMAGINATON SRL.exe | C:\Windows\SysWOW64\powercfg.exe |
| PID 1012 set thread context of 3436 | N/A | C:\Windows\SysWOW64\powercfg.exe | C:\Windows\Explorer.EXE |
| PID 1012 set thread context of 3436 | N/A | C:\Windows\SysWOW64\powercfg.exe | C:\Windows\Explorer.EXE |
| PID 2680 set thread context of 3436 | N/A | C:\Windows\SysWOW64\chkdsk.exe | C:\Windows\Explorer.EXE |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\chkdsk.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\CATALOGO CAMPIONI2022 IMAGINATON SRL.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\powercfg.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier | C:\Windows\SysWOW64\chkdsk.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\chkdsk.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\chkdsk.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\CATALOGO CAMPIONI2022 IMAGINATON SRL.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\powercfg.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\chkdsk.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\CATALOGO CAMPIONI2022 IMAGINATON SRL.exe
"C:\Users\Admin\AppData\Local\Temp\CATALOGO CAMPIONI2022 IMAGINATON SRL.exe"
C:\Windows\SysWOW64\GamePanel.exe
"C:\Windows\SysWOW64\GamePanel.exe"
C:\Windows\SysWOW64\msra.exe
"C:\Windows\SysWOW64\msra.exe"
C:\Windows\SysWOW64\appidtel.exe
"C:\Windows\SysWOW64\appidtel.exe"
C:\Windows\SysWOW64\powercfg.exe
"C:\Windows\SysWOW64\powercfg.exe"
C:\Windows\SysWOW64\chkdsk.exe
"C:\Windows\SysWOW64\chkdsk.exe"
C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\SysWOW64\powercfg.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 96.36.72.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.36.72.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.bakshipping.com | udp |
| US | 8.8.8.8:53 | www.blue-chipwordtoscan-today.info | udp |
| US | 8.8.8.8:53 | www.heicensus.xyz | udp |
| US | 8.8.8.8:53 | www.xn--12c1cybcl4e.com | udp |
| TH | 119.59.100.52:80 | www.xn--12c1cybcl4e.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.xn--12c1cybcl4e.com | udp |
| TH | 119.59.100.52:80 | www.xn--12c1cybcl4e.com | tcp |
| US | 8.8.8.8:53 | www.sattaking-gaziabad.xyz | udp |
| GB | 185.77.97.156:80 | www.sattaking-gaziabad.xyz | tcp |
| US | 8.8.8.8:53 | 156.97.77.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.gamefi-giveaway.com | udp |
| US | 8.8.8.8:53 | 102.208.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.mingyuan.men | udp |
| US | 8.8.8.8:53 | www.034655858.com | udp |
| US | 8.8.8.8:53 | www.loveseaton.com | udp |
| US | 8.8.8.8:53 | www.isabellechiritoiabogada.com | udp |
| US | 8.8.8.8:53 | www.yh2.space | udp |
| US | 8.8.8.8:53 | www.remediationnews.com | udp |
| US | 198.185.159.145:80 | www.remediationnews.com | tcp |
| US | 8.8.8.8:53 | 145.159.185.198.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.batuhanasut.com | udp |
| US | 8.8.8.8:53 | www.getmusicheard.com | udp |
| US | 8.8.8.8:53 | www.classiclord.com | udp |
| US | 8.8.8.8:53 | www.handwerks-service.com | udp |
Files
memory/32-0-0x0000000074D5E000-0x0000000074D5F000-memory.dmp
memory/32-1-0x0000000000030000-0x000000000012C000-memory.dmp
memory/32-2-0x0000000004CF0000-0x0000000004D8C000-memory.dmp
memory/32-3-0x0000000004D90000-0x0000000004E56000-memory.dmp
memory/32-4-0x0000000074D50000-0x0000000075500000-memory.dmp
memory/32-5-0x0000000004E60000-0x0000000004F0C000-memory.dmp
memory/1012-6-0x0000000000400000-0x0000000000445000-memory.dmp
memory/1012-7-0x0000000001650000-0x000000000199A000-memory.dmp
memory/1012-10-0x0000000001190000-0x00000000011A1000-memory.dmp
memory/1012-9-0x0000000000400000-0x0000000000445000-memory.dmp
memory/3436-11-0x00000000030E0000-0x00000000031B7000-memory.dmp
memory/32-13-0x0000000074D50000-0x0000000075500000-memory.dmp
memory/3436-17-0x00000000086D0000-0x00000000087EE000-memory.dmp
memory/1012-16-0x0000000001320000-0x0000000001331000-memory.dmp
memory/1012-15-0x0000000000400000-0x0000000000445000-memory.dmp
memory/3436-18-0x00000000030E0000-0x00000000031B7000-memory.dmp
memory/2680-19-0x0000000000BA0000-0x0000000000BAA000-memory.dmp
memory/2680-20-0x0000000000BA0000-0x0000000000BAA000-memory.dmp
memory/2680-21-0x0000000000EC0000-0x0000000000EE9000-memory.dmp
memory/3436-22-0x00000000086D0000-0x00000000087EE000-memory.dmp
memory/3436-25-0x00000000087F0000-0x00000000088BF000-memory.dmp
memory/3436-27-0x00000000087F0000-0x00000000088BF000-memory.dmp
memory/3436-28-0x00000000087F0000-0x00000000088BF000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-11-21 20:01
Reported
2024-11-21 20:04
Platform
win7-20240903-en
Max time kernel
147s
Max time network
152s
Command Line
Signatures
PureCrypter
Purecrypter family
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IMG1067410252030.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IMG1067410252030.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\IMG1067410252030.exe
"C:\Users\Admin\AppData\Local\Temp\IMG1067410252030.exe"
Network
| Country | Destination | Domain | Proto |
| JP | 13.231.238.12:80 | tcp | |
| JP | 13.231.238.12:80 | tcp | |
| JP | 13.231.238.12:80 | tcp | |
| JP | 13.231.238.12:80 | tcp | |
| JP | 13.231.238.12:80 | tcp |
Files
memory/2364-0-0x000000007441E000-0x000000007441F000-memory.dmp
memory/2364-1-0x0000000001240000-0x0000000001250000-memory.dmp
memory/2364-2-0x0000000074410000-0x0000000074AFE000-memory.dmp
memory/2364-3-0x000000007441E000-0x000000007441F000-memory.dmp
memory/2364-4-0x0000000074410000-0x0000000074AFE000-memory.dmp
Analysis: behavioral10
Detonation Overview
Submitted
2024-11-21 20:01
Reported
2024-11-21 20:04
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
153s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\vxrlhg.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\vxrlhg.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\vxrlhg.exe
"C:\Users\Admin\AppData\Local\Temp\vxrlhg.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 680 -ip 680
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 680 -s 552
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 168.36.72.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-11-21 20:01
Reported
2024-11-21 20:04
Platform
win7-20241023-en
Max time kernel
140s
Max time network
119s
Command Line
Signatures
AgentTesla
Agenttesla family
AgentTesla payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\vxrlhg.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vxrlhg.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vxrlhg.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vxrlhg.exe | N/A |
Reads WinSCP keys stored on the system
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\vxrlhg.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\vxrlhg.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\vxrlhg.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\jySHQG = "C:\\Users\\Admin\\AppData\\Roaming\\jySHQG\\jySHQG.exe" | C:\Users\Admin\AppData\Local\Temp\vxrlhg.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1444 set thread context of 1716 | N/A | C:\Users\Admin\AppData\Local\Temp\vxrlhg.exe | C:\Users\Admin\AppData\Local\Temp\vxrlhg.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\vxrlhg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\vxrlhg.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vxrlhg.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vxrlhg.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\vxrlhg.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\vxrlhg.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\vxrlhg.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER.exe
"C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER.exe"
C:\Users\Admin\AppData\Local\Temp\vxrlhg.exe
C:\Users\Admin\AppData\Local\Temp\vxrlhg.exe C:\Users\Admin\AppData\Local\Temp\tjzfybzskq
C:\Users\Admin\AppData\Local\Temp\vxrlhg.exe
C:\Users\Admin\AppData\Local\Temp\vxrlhg.exe C:\Users\Admin\AppData\Local\Temp\tjzfybzskq
Network
Files
\Users\Admin\AppData\Local\Temp\vxrlhg.exe
| MD5 | 80fee08628f07e4a7b845cc50733dacc |
| SHA1 | 01293924c19486df0c778f367bd91570d2a8fe23 |
| SHA256 | 1e636514dc1362a291840f1b2752c61c94914061296df098b176956681f14d77 |
| SHA512 | 177df61cb33e7fb15b2e9226006871265ea729ca8a2f7ad6f36c6372f6d43171d05bc7821a5bc09e5e215f328414fb0f0e3ecaa0cd39ec5cd970f8515a93e5e7 |
C:\Users\Admin\AppData\Local\Temp\tjzfybzskq
| MD5 | 41e93b996c8af83bf3d4b728ac7df71a |
| SHA1 | 3a143f132d7fc9c97b872fdceb30531b59af5ead |
| SHA256 | f42e50d794d6f6ffae8c14af097bc050091f435603a6b236b986d9b8d7e6a4b6 |
| SHA512 | 4a19306838dbcd51ac6eb2d4d2625769834dc2fc0f297949f5b7467d5f32d54e4c81433cb2d39e141a644c767bf6c06bc7ed2ab5396256cf8c4e4b1ad92b1e1d |
C:\Users\Admin\AppData\Local\Temp\et3cra8zhyjmrm2jktsg
| MD5 | 93204c274660dc48195abcb69f9feb98 |
| SHA1 | aec1f57e2b5d13c2e890a9a85779690d20ac5eef |
| SHA256 | 3a7051d9961b5ebd0c7f29b989165de72bc6c786f82f0038e89905596f790c85 |
| SHA512 | 42c42e92e1445ab965711a167a8fa0ff616df6fdf0142b4798cdf03ec0ea5aa3b4af1c29d84d5834afa9fb1ded611c3380042fb08625a9ef45d51e1100c6b606 |
memory/1444-9-0x0000000000200000-0x0000000000202000-memory.dmp
memory/1716-12-0x0000000000400000-0x000000000044C000-memory.dmp
memory/1716-15-0x0000000000400000-0x000000000044C000-memory.dmp
memory/1716-16-0x0000000000400000-0x000000000044C000-memory.dmp
memory/1716-18-0x0000000000400000-0x000000000044C000-memory.dmp
memory/1716-19-0x0000000001F00000-0x0000000001F3C000-memory.dmp
Analysis: behavioral8
Detonation Overview
Submitted
2024-11-21 20:01
Reported
2024-11-21 20:04
Platform
win10v2004-20241007-en
Max time kernel
94s
Max time network
142s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vxrlhg.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\vxrlhg.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\vxrlhg.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4816 wrote to memory of 3564 | N/A | C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER.exe | C:\Users\Admin\AppData\Local\Temp\vxrlhg.exe |
| PID 4816 wrote to memory of 3564 | N/A | C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER.exe | C:\Users\Admin\AppData\Local\Temp\vxrlhg.exe |
| PID 4816 wrote to memory of 3564 | N/A | C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER.exe | C:\Users\Admin\AppData\Local\Temp\vxrlhg.exe |
| PID 3564 wrote to memory of 2268 | N/A | C:\Users\Admin\AppData\Local\Temp\vxrlhg.exe | C:\Users\Admin\AppData\Local\Temp\vxrlhg.exe |
| PID 3564 wrote to memory of 2268 | N/A | C:\Users\Admin\AppData\Local\Temp\vxrlhg.exe | C:\Users\Admin\AppData\Local\Temp\vxrlhg.exe |
| PID 3564 wrote to memory of 2268 | N/A | C:\Users\Admin\AppData\Local\Temp\vxrlhg.exe | C:\Users\Admin\AppData\Local\Temp\vxrlhg.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER.exe
"C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER.exe"
C:\Users\Admin\AppData\Local\Temp\vxrlhg.exe
C:\Users\Admin\AppData\Local\Temp\vxrlhg.exe C:\Users\Admin\AppData\Local\Temp\tjzfybzskq
C:\Users\Admin\AppData\Local\Temp\vxrlhg.exe
C:\Users\Admin\AppData\Local\Temp\vxrlhg.exe C:\Users\Admin\AppData\Local\Temp\tjzfybzskq
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3564 -ip 3564
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3564 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 168.36.72.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\vxrlhg.exe
| MD5 | 80fee08628f07e4a7b845cc50733dacc |
| SHA1 | 01293924c19486df0c778f367bd91570d2a8fe23 |
| SHA256 | 1e636514dc1362a291840f1b2752c61c94914061296df098b176956681f14d77 |
| SHA512 | 177df61cb33e7fb15b2e9226006871265ea729ca8a2f7ad6f36c6372f6d43171d05bc7821a5bc09e5e215f328414fb0f0e3ecaa0cd39ec5cd970f8515a93e5e7 |
C:\Users\Admin\AppData\Local\Temp\et3cra8zhyjmrm2jktsg
| MD5 | 93204c274660dc48195abcb69f9feb98 |
| SHA1 | aec1f57e2b5d13c2e890a9a85779690d20ac5eef |
| SHA256 | 3a7051d9961b5ebd0c7f29b989165de72bc6c786f82f0038e89905596f790c85 |
| SHA512 | 42c42e92e1445ab965711a167a8fa0ff616df6fdf0142b4798cdf03ec0ea5aa3b4af1c29d84d5834afa9fb1ded611c3380042fb08625a9ef45d51e1100c6b606 |
C:\Users\Admin\AppData\Local\Temp\tjzfybzskq
| MD5 | 41e93b996c8af83bf3d4b728ac7df71a |
| SHA1 | 3a143f132d7fc9c97b872fdceb30531b59af5ead |
| SHA256 | f42e50d794d6f6ffae8c14af097bc050091f435603a6b236b986d9b8d7e6a4b6 |
| SHA512 | 4a19306838dbcd51ac6eb2d4d2625769834dc2fc0f297949f5b7467d5f32d54e4c81433cb2d39e141a644c767bf6c06bc7ed2ab5396256cf8c4e4b1ad92b1e1d |
memory/3564-8-0x0000000002190000-0x0000000002192000-memory.dmp
Analysis: behavioral9
Detonation Overview
Submitted
2024-11-21 20:01
Reported
2024-11-21 20:04
Platform
win7-20241010-en
Max time kernel
14s
Max time network
18s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\vxrlhg.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\vxrlhg.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2820 wrote to memory of 2348 | N/A | C:\Users\Admin\AppData\Local\Temp\vxrlhg.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2820 wrote to memory of 2348 | N/A | C:\Users\Admin\AppData\Local\Temp\vxrlhg.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2820 wrote to memory of 2348 | N/A | C:\Users\Admin\AppData\Local\Temp\vxrlhg.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2820 wrote to memory of 2348 | N/A | C:\Users\Admin\AppData\Local\Temp\vxrlhg.exe | C:\Windows\SysWOW64\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\vxrlhg.exe
"C:\Users\Admin\AppData\Local\Temp\vxrlhg.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2820 -s 168
Network
Files
Analysis: behavioral12
Detonation Overview
Submitted
2024-11-21 20:01
Reported
2024-11-21 20:04
Platform
win10v2004-20241007-en
Max time kernel
93s
Max time network
150s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cucacm.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nrcehddkx = "C:\\Users\\Admin\\AppData\\Roaming\\ckalk\\orwxcwhslf.exe" | C:\Users\Admin\AppData\Local\Temp\cucacm.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\cucacm.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDERSR1083004 Al Hitmi Fox Hills Residential MUE0.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\cucacm.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDERSR1083004 Al Hitmi Fox Hills Residential MUE0.exe
"C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDERSR1083004 Al Hitmi Fox Hills Residential MUE0.exe"
C:\Users\Admin\AppData\Local\Temp\cucacm.exe
C:\Users\Admin\AppData\Local\Temp\cucacm.exe C:\Users\Admin\AppData\Local\Temp\bjyydoipe
C:\Users\Admin\AppData\Local\Temp\cucacm.exe
C:\Users\Admin\AppData\Local\Temp\cucacm.exe C:\Users\Admin\AppData\Local\Temp\bjyydoipe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 3256 -ip 3256
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3256 -s 776
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 96.36.72.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 137.36.72.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 168.36.72.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\cucacm.exe
| MD5 | 0bb7c6c0a98823d2add4de29846ef777 |
| SHA1 | b4d39b7a0faa45f1892ea4faa4c9fd57977d0fb6 |
| SHA256 | 0db9ef4a094cc5597c748c3f83d35287000d1b2519ae092c85f9c5f4ec5cf42a |
| SHA512 | e69d3df91eee94cb10a0ace66e29c3e66b39df9c8679ad485af5a825d8c052a6d49b6718c9a03920dcd9609b4c0f095542606fc400afe973e596402ba63a7d21 |
C:\Users\Admin\AppData\Local\Temp\bjyydoipe
| MD5 | cc4686355c8ec136f2ddfe449c7c125b |
| SHA1 | 4c6117b697941280e7b5cfa92c043ea9cbdff78b |
| SHA256 | cbc951f59f2bf791e4a83d4721b9feb5002ad8de5167dbbddf4a69f7c1fb34db |
| SHA512 | 3f9ab318e0a8d30356e21156ee21a202ab0de5cb584e67a74f35556e21d7e6e1bb6c3c6056ba7f2a31241ef7ce805afa581c629534368ed15986de17fa4e81ef |
C:\Users\Admin\AppData\Local\Temp\pj97qgwmrec6zq
| MD5 | 3de61fc0d9edc15c8920851bb741630e |
| SHA1 | 4e2cab6c32aa3340d1e16e83f3bc786c8b6d414e |
| SHA256 | 19a3867640f40922fac213e0bffeb041ef8f3f584fc3c50c7ad00c621998408b |
| SHA512 | ea1e9eccbd1ad18999a6f75e0f824b28fe452d145633df72c03e8079bda8b2d2ed59360bac21f175c54e8fd2cafd436a99b679b281a9db2f1a0018961a6d2281 |
memory/3256-8-0x00000000009E0000-0x00000000009E2000-memory.dmp
Analysis: behavioral13
Detonation Overview
Submitted
2024-11-21 20:01
Reported
2024-11-21 20:04
Platform
win7-20241023-en
Max time kernel
118s
Max time network
119s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\cucacm.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\cucacm.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2504 wrote to memory of 2104 | N/A | C:\Users\Admin\AppData\Local\Temp\cucacm.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2504 wrote to memory of 2104 | N/A | C:\Users\Admin\AppData\Local\Temp\cucacm.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2504 wrote to memory of 2104 | N/A | C:\Users\Admin\AppData\Local\Temp\cucacm.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2504 wrote to memory of 2104 | N/A | C:\Users\Admin\AppData\Local\Temp\cucacm.exe | C:\Windows\SysWOW64\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\cucacm.exe
"C:\Users\Admin\AppData\Local\Temp\cucacm.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2504 -s 212
Network
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-21 20:01
Reported
2024-11-21 20:04
Platform
win7-20240708-en
Max time kernel
146s
Max time network
122s
Command Line
Signatures
Xloader
Xloader family
Xloader payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3036 set thread context of 2172 | N/A | C:\Users\Admin\AppData\Local\Temp\CATALOGO CAMPIONI2022 IMAGINATON SRL.exe | C:\Windows\SysWOW64\sxstrace.exe |
| PID 2172 set thread context of 1204 | N/A | C:\Windows\SysWOW64\sxstrace.exe | C:\Windows\Explorer.EXE |
| PID 2324 set thread context of 1204 | N/A | C:\Windows\SysWOW64\wlanext.exe | C:\Windows\Explorer.EXE |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\CATALOGO CAMPIONI2022 IMAGINATON SRL.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sxstrace.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wlanext.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sxstrace.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sxstrace.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sxstrace.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wlanext.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wlanext.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\CATALOGO CAMPIONI2022 IMAGINATON SRL.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\sxstrace.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\wlanext.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\CATALOGO CAMPIONI2022 IMAGINATON SRL.exe
"C:\Users\Admin\AppData\Local\Temp\CATALOGO CAMPIONI2022 IMAGINATON SRL.exe"
C:\Windows\SysWOW64\sxstrace.exe
"C:\Windows\SysWOW64\sxstrace.exe"
C:\Windows\SysWOW64\wlanext.exe
"C:\Windows\SysWOW64\wlanext.exe"
C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\SysWOW64\sxstrace.exe"
Network
Files
memory/3036-0-0x00000000742AE000-0x00000000742AF000-memory.dmp
memory/3036-1-0x0000000001130000-0x000000000122C000-memory.dmp
memory/3036-2-0x0000000000FF0000-0x00000000010B6000-memory.dmp
memory/3036-3-0x00000000742A0000-0x000000007498E000-memory.dmp
memory/3036-4-0x0000000000D60000-0x0000000000E0C000-memory.dmp
memory/2172-5-0x0000000000400000-0x0000000000445000-memory.dmp
memory/2172-6-0x0000000000400000-0x0000000000445000-memory.dmp
memory/2172-7-0x0000000000400000-0x0000000000445000-memory.dmp
memory/2172-10-0x0000000000400000-0x0000000000445000-memory.dmp
memory/2172-8-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2172-11-0x0000000000790000-0x0000000000A93000-memory.dmp
memory/2172-14-0x00000000001D0000-0x00000000001E1000-memory.dmp
memory/2172-13-0x0000000000400000-0x0000000000445000-memory.dmp
memory/1204-15-0x0000000006950000-0x0000000006A82000-memory.dmp
memory/3036-16-0x00000000742A0000-0x000000007498E000-memory.dmp
memory/2324-18-0x0000000000200000-0x0000000000216000-memory.dmp
memory/2324-17-0x0000000000200000-0x0000000000216000-memory.dmp
memory/2324-19-0x00000000000C0000-0x00000000000E9000-memory.dmp
memory/1204-20-0x0000000006950000-0x0000000006A82000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2024-11-21 20:01
Reported
2024-11-21 20:04
Platform
win10v2004-20241007-en
Max time kernel
144s
Max time network
156s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\PO_#YBIC3892900183902328_Evaluated Copy.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\PO_#YBIC3892900183902328_Evaluated Copy.exe
"C:\Users\Admin\AppData\Local\Temp\PO_#YBIC3892900183902328_Evaluated Copy.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 168.36.72.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | sync-shop.com | udp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
| US | 8.8.8.8:53 | r11.o.lencr.org | udp |
| GB | 72.247.176.59:80 | r11.o.lencr.org | tcp |
| US | 8.8.8.8:53 | 225.219.220.74.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 51.25.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.176.247.72.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
Files
memory/4016-0-0x0000000002240000-0x0000000002241000-memory.dmp
memory/4016-2-0x0000000000406000-0x0000000000407000-memory.dmp
memory/4016-3-0x0000000000400000-0x00000000004AD000-memory.dmp
memory/4016-4-0x0000000002240000-0x0000000002241000-memory.dmp
Analysis: behavioral14
Detonation Overview
Submitted
2024-11-21 20:01
Reported
2024-11-21 20:04
Platform
win10v2004-20241007-en
Max time kernel
94s
Max time network
144s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\cucacm.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\cucacm.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\cucacm.exe
"C:\Users\Admin\AppData\Local\Temp\cucacm.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3480 -ip 3480
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3480 -s 648
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 96.36.72.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-11-21 20:01
Reported
2024-11-21 20:04
Platform
win10v2004-20241007-en
Max time kernel
147s
Max time network
150s
Command Line
Signatures
PureCrypter
Purecrypter family
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IMG1067410252030.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IMG1067410252030.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\IMG1067410252030.exe
"C:\Users\Admin\AppData\Local\Temp\IMG1067410252030.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 238.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 137.36.72.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 168.36.72.23.in-addr.arpa | udp |
| JP | 13.231.238.12:80 | tcp | |
| JP | 13.231.238.12:80 | tcp | |
| US | 8.8.8.8:53 | 96.36.72.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| JP | 13.231.238.12:80 | tcp | |
| JP | 13.231.238.12:80 | tcp | |
| JP | 13.231.238.12:80 | tcp |
Files
memory/1080-0-0x00000000743EE000-0x00000000743EF000-memory.dmp
memory/1080-1-0x0000000000800000-0x0000000000810000-memory.dmp
memory/1080-2-0x00000000743E0000-0x0000000074B90000-memory.dmp
memory/1080-3-0x00000000743EE000-0x00000000743EF000-memory.dmp
memory/1080-4-0x00000000743E0000-0x0000000074B90000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2024-11-21 20:01
Reported
2024-11-21 20:04
Platform
win7-20240903-en
Max time kernel
145s
Max time network
146s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\PO_#YBIC3892900183902328_Evaluated Copy.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\PO_#YBIC3892900183902328_Evaluated Copy.exe
"C:\Users\Admin\AppData\Local\Temp\PO_#YBIC3892900183902328_Evaluated Copy.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | sync-shop.com | udp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
Files
memory/2512-0-0x0000000000230000-0x0000000000231000-memory.dmp
memory/2512-3-0x0000000000400000-0x00000000004AD000-memory.dmp
memory/2512-2-0x0000000000406000-0x0000000000407000-memory.dmp