Malware Analysis Report

2025-04-14 05:12

Sample ID 250311-tz8zpaxrz2
Target beed61dc63e3b01b93e6c50c6885b89988b59a3f6abdfa24e922e1402a0235e9
SHA256 beed61dc63e3b01b93e6c50c6885b89988b59a3f6abdfa24e922e1402a0235e9
Tags
loader guloader rat ransomware rezer0 miner blacknet blister guloader loaderbot mimikatz netfilter netwire pseudomanuscrypt quasar royal xtremerat zeppelin kandykorn hellokitty masslogger merlin mountlocker nefilim sodinokibi xmrig dridex
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

beed61dc63e3b01b93e6c50c6885b89988b59a3f6abdfa24e922e1402a0235e9

Threat Level: Known bad

The file beed61dc63e3b01b93e6c50c6885b89988b59a3f6abdfa24e922e1402a0235e9 was found to be: Known bad.

Malicious Activity Summary

loader guloader rat ransomware rezer0 miner blacknet blister guloader loaderbot mimikatz netfilter netwire pseudomanuscrypt quasar royal xtremerat zeppelin kandykorn hellokitty masslogger merlin mountlocker nefilim sodinokibi xmrig dridex

Detect Blister loader x32

LoaderBot executable

mimikatz is an open source tool to dump credentials on Windows

Nefilim ransomware executable

Detect XtremeRAT payload

Detected Mount Locker ransomware

Masslogger family

Merlin family

Mimikatz family

Quasar family

Xmrig family

Detect KandyKorn payload

Guloader family

NetWire RAT payload

Netfilter family

Sodinokibi family

Blister family

HelloKitty ELF

Merlin payload

Sodinokibi/Revil sample

Zeppelin family

Detects Zeppelin payload

Nefilim family

XMRig Miner payload

Xtremerat family

Kandykorn family

Mountlocker family

Pseudomanuscrypt family

Royal family

BlackNET payload

Detects PseudoManuscrypt payload

Hellokitty family

Loaderbot family

NetFilter Dropper

NetFilter payload

Netwire family

Royal Ransomware

MassLogger log file

Quasar payload

Blacknet family

Dridex family

Guloader payload

ReZer0 packer

Patched UPX-packed file

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Checks SCSI registry key(s)

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-03-11 16:30

Signatures

BlackNET payload

Description Indicator Process Target
N/A N/A N/A N/A

Blacknet family

blacknet

Blister family

blister

Detect Blister loader x32

loader
Description Indicator Process Target
N/A N/A N/A N/A

Detect KandyKorn payload

Description Indicator Process Target
N/A N/A N/A N/A

Detect XtremeRAT payload

Description Indicator Process Target
N/A N/A N/A N/A

Detected Mount Locker ransomware

Description Indicator Process Target
N/A N/A N/A N/A

Detects PseudoManuscrypt payload

loader
Description Indicator Process Target
N/A N/A N/A N/A

Detects Zeppelin payload

Description Indicator Process Target
N/A N/A N/A N/A

Dridex family

dridex

Guloader family

guloader

Guloader payload

guloader
Description Indicator Process Target
N/A N/A N/A N/A

HelloKitty ELF

Description Indicator Process Target
N/A N/A N/A N/A

Hellokitty family

hellokitty

Kandykorn family

kandykorn

LoaderBot executable

Description Indicator Process Target
N/A N/A N/A N/A

Loaderbot family

loaderbot

MassLogger log file

Description Indicator Process Target
N/A N/A N/A N/A

Masslogger family

masslogger

Merlin family

merlin

Merlin payload

Description Indicator Process Target
N/A N/A N/A N/A

Mimikatz family

mimikatz

Mountlocker family

mountlocker

Nefilim family

nefilim

Nefilim ransomware executable

Description Indicator Process Target
N/A N/A N/A N/A

NetFilter Dropper

Description Indicator Process Target
N/A N/A N/A N/A

NetFilter payload

Description Indicator Process Target
N/A N/A N/A N/A

NetWire RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Netfilter family

netfilter

Netwire family

netwire

Pseudomanuscrypt family

pseudomanuscrypt

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Royal Ransomware

ransomware
Description Indicator Process Target
N/A N/A N/A N/A

Royal family

royal

Sodinokibi family

sodinokibi

Sodinokibi/Revil sample

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

Xtremerat family

xtremerat

Zeppelin family

zeppelin

mimikatz is an open source tool to dump credentials on Windows

Description Indicator Process Target
N/A N/A N/A N/A

ReZer0 packer

rezer0
Description Indicator Process Target
N/A N/A N/A N/A

Patched UPX-packed file

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-03-11 16:30

Reported

2025-03-11 16:31

Platform

win11-20250217-en

Max time kernel

26s

Max time network

7s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\beed61dc63e3b01b93e6c50c6885b89988b59a3f6abdfa24e922e1402a0235e9

Signatures

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName C:\Windows\system32\taskmgr.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2786730451-600132509-465537259-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.WindowsTerminal_8wekyb3d8bbwe\StartTerminalOnLoginTask C:\Windows\system32\taskmgr.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\taskmgr.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\beed61dc63e3b01b93e6c50c6885b89988b59a3f6abdfa24e922e1402a0235e9

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /0

Network

N/A

Files

memory/4004-0-0x00000224B10D0000-0x00000224B10D1000-memory.dmp

memory/4004-2-0x00000224B10D0000-0x00000224B10D1000-memory.dmp

memory/4004-1-0x00000224B10D0000-0x00000224B10D1000-memory.dmp

memory/4004-6-0x00000224B10D0000-0x00000224B10D1000-memory.dmp

memory/4004-9-0x00000224B10D0000-0x00000224B10D1000-memory.dmp

memory/4004-10-0x00000224B10D0000-0x00000224B10D1000-memory.dmp

memory/4004-12-0x00000224B10D0000-0x00000224B10D1000-memory.dmp

memory/4004-11-0x00000224B10D0000-0x00000224B10D1000-memory.dmp

memory/4004-8-0x00000224B10D0000-0x00000224B10D1000-memory.dmp

memory/4004-7-0x00000224B10D0000-0x00000224B10D1000-memory.dmp