Analysis Overview
SHA256
beed61dc63e3b01b93e6c50c6885b89988b59a3f6abdfa24e922e1402a0235e9
Threat Level: Known bad
The file beed61dc63e3b01b93e6c50c6885b89988b59a3f6abdfa24e922e1402a0235e9 was found to be: Known bad.
Malicious Activity Summary
Sodinokibi family
Guloader family
NetWire RAT payload
Royal Ransomware
Detects PseudoManuscrypt payload
Masslogger family
Netwire family
mimikatz is an open source tool to dump credentials on Windows
LoaderBot executable
Kandykorn family
Detects Zeppelin payload
Dridex family
Xmrig family
Merlin family
Mimikatz family
Mountlocker family
Quasar family
BlackNET payload
Detected Mount Locker ransomware
Loaderbot family
Nefilim family
Royal family
NetFilter payload
Merlin payload
Blister family
Detect KandyKorn payload
MassLogger log file
Sodinokibi/Revil sample
XMRig Miner payload
Detect XtremeRAT payload
Blacknet family
Xtremerat family
Hellokitty family
Quasar payload
Detect Blister loader x32
Guloader payload
Netfilter family
Zeppelin family
HelloKitty ELF
Nefilim ransomware executable
NetFilter Dropper
Pseudomanuscrypt family
ReZer0 packer
Patched UPX-packed file
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2025-03-11 16:06
Signatures
BlackNET payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Blacknet family
Blister family
Detect Blister loader x32
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detect KandyKorn payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detect XtremeRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detected Mount Locker ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects PseudoManuscrypt payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects Zeppelin payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Dridex family
Guloader family
Guloader payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
HelloKitty ELF
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Hellokitty family
Kandykorn family
LoaderBot executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Loaderbot family
MassLogger log file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Masslogger family
Merlin family
Merlin payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Mimikatz family
Mountlocker family
Nefilim family
Nefilim ransomware executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
NetFilter Dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
NetFilter payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
NetWire RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Netfilter family
Netwire family
Pseudomanuscrypt family
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Royal Ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Royal family
Sodinokibi family
Sodinokibi/Revil sample
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
Xtremerat family
Zeppelin family
mimikatz is an open source tool to dump credentials on Windows
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
ReZer0 packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Patched UPX-packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-03-11 16:06
Reported
2025-03-11 16:16
Platform
win7-20240903-en
Max time kernel
361s
Max time network
362s
Command Line
Signatures
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\beed61dc63e3b01b93e6c50c6885b89988b59a3f6abdfa24e922e1402a0235e9
C:\Windows\System32\fontview.exe
"C:\Windows\System32\fontview.exe" C:\Users\Admin\Desktop\EnableApprove.fon
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2025-03-11 16:06
Reported
2025-03-11 16:16
Platform
win10v2004-20250217-en
Max time kernel
575s
Max time network
585s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2832 wrote to memory of 4892 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\system32\print.exe |
| PID 2832 wrote to memory of 4892 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\system32\print.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\beed61dc63e3b01b93e6c50c6885b89988b59a3f6abdfa24e922e1402a0235e9
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\system32\print.exe
"C:\Windows\system32\print.exe" h9
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
Files
memory/2832-2-0x00007FFD3C233000-0x00007FFD3C235000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zfgco1hj.p11.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2832-12-0x000001EC0D5A0000-0x000001EC0D5C2000-memory.dmp
memory/2832-13-0x00007FFD3C230000-0x00007FFD3CCF1000-memory.dmp
memory/2832-14-0x00007FFD3C230000-0x00007FFD3CCF1000-memory.dmp
memory/2832-15-0x000001EC25750000-0x000001EC25794000-memory.dmp
memory/2832-16-0x000001EC26440000-0x000001EC264B6000-memory.dmp
memory/2832-18-0x00007FFD3C230000-0x00007FFD3CCF1000-memory.dmp
memory/2832-19-0x00007FFD3C230000-0x00007FFD3CCF1000-memory.dmp
memory/2832-20-0x00007FFD3C233000-0x00007FFD3C235000-memory.dmp
memory/2832-21-0x00007FFD3C230000-0x00007FFD3CCF1000-memory.dmp
memory/2832-23-0x00007FFD3C230000-0x00007FFD3CCF1000-memory.dmp
memory/2832-26-0x00007FFD3C230000-0x00007FFD3CCF1000-memory.dmp
memory/2832-27-0x00007FFD3C230000-0x00007FFD3CCF1000-memory.dmp
memory/2832-31-0x00007FFD3C230000-0x00007FFD3CCF1000-memory.dmp