Analysis Overview
SHA256
beed61dc63e3b01b93e6c50c6885b89988b59a3f6abdfa24e922e1402a0235e9
Threat Level: Known bad
The file beed61dc63e3b01b93e6c50c6885b89988b59a3f6abdfa24e922e1402a0235e9 was found to be: Known bad.
Malicious Activity Summary
Detect Blister loader x32
LoaderBot executable
mimikatz is an open source tool to dump credentials on Windows
Nefilim ransomware executable
Detect XtremeRAT payload
Detected Mount Locker ransomware
Masslogger family
Merlin family
Mimikatz family
Quasar family
Xmrig family
Detect KandyKorn payload
Guloader family
NetWire RAT payload
Netfilter family
Sodinokibi family
Blister family
HelloKitty ELF
Merlin payload
Sodinokibi/Revil sample
Zeppelin family
Detects Zeppelin payload
Nefilim family
XMRig Miner payload
Xtremerat family
Kandykorn family
Mountlocker family
Pseudomanuscrypt family
Royal family
BlackNET payload
Detects PseudoManuscrypt payload
Hellokitty family
Loaderbot family
NetFilter Dropper
NetFilter payload
Netwire family
Royal Ransomware
MassLogger log file
Quasar payload
Blacknet family
Dridex family
Guloader payload
ReZer0 packer
Patched UPX-packed file
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Checks SCSI registry key(s)
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-03-11 16:30
Signatures
BlackNET payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Blacknet family
Blister family
Detect Blister loader x32
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detect KandyKorn payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detect XtremeRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detected Mount Locker ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects PseudoManuscrypt payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects Zeppelin payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Dridex family
Guloader family
Guloader payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
HelloKitty ELF
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Hellokitty family
Kandykorn family
LoaderBot executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Loaderbot family
MassLogger log file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Masslogger family
Merlin family
Merlin payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Mimikatz family
Mountlocker family
Nefilim family
Nefilim ransomware executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
NetFilter Dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
NetFilter payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
NetWire RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Netfilter family
Netwire family
Pseudomanuscrypt family
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Royal Ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Royal family
Sodinokibi family
Sodinokibi/Revil sample
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
Xtremerat family
Zeppelin family
mimikatz is an open source tool to dump credentials on Windows
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
ReZer0 packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Patched UPX-packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-03-11 16:30
Reported
2025-03-11 16:31
Platform
win11-20250217-en
Max time kernel
26s
Max time network
7s
Command Line
Signatures
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2786730451-600132509-465537259-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.WindowsTerminal_8wekyb3d8bbwe\StartTerminalOnLoginTask | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\beed61dc63e3b01b93e6c50c6885b89988b59a3f6abdfa24e922e1402a0235e9
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
Network
Files
memory/4004-0-0x00000224B10D0000-0x00000224B10D1000-memory.dmp
memory/4004-2-0x00000224B10D0000-0x00000224B10D1000-memory.dmp
memory/4004-1-0x00000224B10D0000-0x00000224B10D1000-memory.dmp
memory/4004-6-0x00000224B10D0000-0x00000224B10D1000-memory.dmp
memory/4004-9-0x00000224B10D0000-0x00000224B10D1000-memory.dmp
memory/4004-10-0x00000224B10D0000-0x00000224B10D1000-memory.dmp
memory/4004-12-0x00000224B10D0000-0x00000224B10D1000-memory.dmp
memory/4004-11-0x00000224B10D0000-0x00000224B10D1000-memory.dmp
memory/4004-8-0x00000224B10D0000-0x00000224B10D1000-memory.dmp
memory/4004-7-0x00000224B10D0000-0x00000224B10D1000-memory.dmp