680cb9fea15a1f1c5004abd791b1b27383640b985d0f95578871aeacd7d83d0a

Analysis

max time kernel
68s
max time network
54s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
21/03/2025, 02:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SonicSAGE.exe
Size

198.2MB
MD5

170ac0f07fd31adb71cc556c7aa50c35
SHA1

ab1a834ffd57b4e18af5475d299bd04ba14ce472
SHA256

680cb9fea15a1f1c5004abd791b1b27383640b985d0f95578871aeacd7d83d0a
SHA512

563f5fecaf462efc84aac94510816a9ebd265fbc27fc7a5eefe88b8ab390e6b680d722af9b13e1738b7146924d9aff6ae06f932e8d1f8fee3e92284a06b7dc13
SSDEEP

3145728:pFyh9NvfiE4dQw4zhQSGYBuzqVNF1OFZhckc8fHK2duv5B0oi9s4hQWzwwM+rzTB:y4yPQSGY8zqVn4FZvS2MxMs4+MbRSAP

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 14 IoCs

pid	Process
1536	DISCORD BIRTHDAY NITRO CLAIMER.exe
1536	DISCORD BIRTHDAY NITRO CLAIMER.exe
1536	DISCORD BIRTHDAY NITRO CLAIMER.exe
1536	DISCORD BIRTHDAY NITRO CLAIMER.exe
1536	DISCORD BIRTHDAY NITRO CLAIMER.exe
1536	DISCORD BIRTHDAY NITRO CLAIMER.exe
1536	DISCORD BIRTHDAY NITRO CLAIMER.exe
1536	DISCORD BIRTHDAY NITRO CLAIMER.exe
1536	DISCORD BIRTHDAY NITRO CLAIMER.exe
1536	DISCORD BIRTHDAY NITRO CLAIMER.exe
1536	DISCORD BIRTHDAY NITRO CLAIMER.exe
1536	DISCORD BIRTHDAY NITRO CLAIMER.exe
1536	DISCORD BIRTHDAY NITRO CLAIMER.exe
1536	DISCORD BIRTHDAY NITRO CLAIMER.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
35	api.ipify.org
36	api.ipify.org

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2580	2160	WerFault.exe	41
2436	1872	WerFault.exe	58

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SonicSAGE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SonicSAGE.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: 35	1536	DISCORD BIRTHDAY NITRO CLAIMER.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2160 wrote to memory of 2580	2160	SonicSAGE.exe	43
PID 2160 wrote to memory of 2580	2160	SonicSAGE.exe	43
PID 2160 wrote to memory of 2580	2160	SonicSAGE.exe	43
PID 2160 wrote to memory of 2580	2160	SonicSAGE.exe	43
PID 2872 wrote to memory of 1536	2872	DISCORD BIRTHDAY NITRO CLAIMER.exe	56
PID 2872 wrote to memory of 1536	2872	DISCORD BIRTHDAY NITRO CLAIMER.exe	56
PID 2872 wrote to memory of 1536	2872	DISCORD BIRTHDAY NITRO CLAIMER.exe	56
PID 1872 wrote to memory of 2436	1872	SonicSAGE.exe	59
PID 1872 wrote to memory of 2436	1872	SonicSAGE.exe	59
PID 1872 wrote to memory of 2436	1872	SonicSAGE.exe	59
PID 1872 wrote to memory of 2436	1872	SonicSAGE.exe	59

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1508 --field-trial-handle=1240,i,5840852975693765782,17937181755701592508,131072 /prefetch:2
1⤵
PID:1604

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --mojo-platform-channel-handle=1460 --field-trial-handle=1240,i,5840852975693765782,17937181755701592508,131072 /prefetch:1
1⤵
PID:2412

C:\Users\Admin\AppData\Local\Temp\SonicSAGE.exe
"C:\Users\Admin\AppData\Local\Temp\SonicSAGE.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2160
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2160 -s 96
  2⤵
  - Program crash
  PID:2580

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3436 --field-trial-handle=1240,i,5840852975693765782,17937181755701592508,131072 /prefetch:8
1⤵
PID:608

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1360 --field-trial-handle=1240,i,5840852975693765782,17937181755701592508,131072 /prefetch:8
1⤵
PID:2200

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3512 --field-trial-handle=1240,i,5840852975693765782,17937181755701592508,131072 /prefetch:8
1⤵
PID:1800

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --mojo-platform-channel-handle=3704 --field-trial-handle=1240,i,5840852975693765782,17937181755701592508,131072 /prefetch:1
1⤵
PID:1304

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --mojo-platform-channel-handle=3660 --field-trial-handle=1240,i,5840852975693765782,17937181755701592508,131072 /prefetch:1
1⤵
PID:1484

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2476 --field-trial-handle=1240,i,5840852975693765782,17937181755701592508,131072 /prefetch:8
1⤵
PID:1212

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3868 --field-trial-handle=1240,i,5840852975693765782,17937181755701592508,131072 /prefetch:8
1⤵
PID:1676

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3904 --field-trial-handle=1240,i,5840852975693765782,17937181755701592508,131072 /prefetch:8
1⤵
PID:2416

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3728 --field-trial-handle=1240,i,5840852975693765782,17937181755701592508,131072 /prefetch:8
1⤵
PID:2924

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3952 --field-trial-handle=1240,i,5840852975693765782,17937181755701592508,131072 /prefetch:8
1⤵
PID:2844

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3964 --field-trial-handle=1240,i,5840852975693765782,17937181755701592508,131072 /prefetch:8
1⤵
PID:1992

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1112 --field-trial-handle=1240,i,5840852975693765782,17937181755701592508,131072 /prefetch:8
1⤵
PID:2104

C:\Users\Admin\Downloads\DISCORD BIRTHDAY NITRO CLAIMER.exe
"C:\Users\Admin\Downloads\DISCORD BIRTHDAY NITRO CLAIMER.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2872
- C:\Users\Admin\Downloads\DISCORD BIRTHDAY NITRO CLAIMER.exe
  "C:\Users\Admin\Downloads\DISCORD BIRTHDAY NITRO CLAIMER.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  PID:1536

C:\Users\Admin\AppData\Local\Temp\SonicSAGE.exe
"C:\Users\Admin\AppData\Local\Temp\SonicSAGE.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1872
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1872 -s 96
  2⤵
  - Program crash
  PID:2436

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI28722\VCRUNTIME140.dll

Filesize
87KB

MD5
0e675d4a7a5b7ccd69013386793f68eb

SHA1
6e5821ddd8fea6681bda4448816f39984a33596b

SHA256
bf5ff4603557c9959acec995653d052d9054ad4826df967974efd2f377c723d1

SHA512
cae69a90f92936febde67dacd6ce77647cb3b3ed82bb66463cd9047e90723f633aa2fc365489de09fecdc510be15808c183b12e6236b0893af19633f6a670e66

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28722\_bz2.pyd

Filesize
87KB

MD5
92075c2759ac8246953e6fa6323e43fe

SHA1
6818befe630c2656183ea7fe735db159804b7773

SHA256
e7af6119b56ddd47fd0a909710f7163d7ef4822405fc138d24e6ce9de7a5022f

SHA512
7f3a4409859695f53291c96dd487bca2649815bad5f4610c2c6f92777411d39210e293d962573a20dfe73ea15331de7e6c18b017ae1d6f226387eab1fc1f586c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28722\_hashlib.pyd

Filesize
38KB

MD5
7808b500fbfb17c968f10ee6d68461df

SHA1
2a8e54037e7d03d20244fefd8247cf218e1d668f

SHA256
e2701f4e4a7556adab7415e448070289ba4fe047227f48c3a049d7c3154aff0b

SHA512
b4239e792141bcf924f61bfd46033934337079b245f423b34820d36c6599ca35ab06bc525acfff4cafa75e31975fcd0409dedd203377d642fc5dc55ec2c1fa27

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28722\_lzma.pyd

Filesize
251KB

MD5
ab582419629183e1615b76fc5d2c7704

SHA1
b78ee7e725a417bef50cca47590950e970eae200

SHA256
5a45f7cd517ad396a042bc2767ae73221dc68f934e828a9433249924a371ee5e

SHA512
3f38441dd0b88b486dafaa1e15d07f0ee467a362c1603071a2fa79de770fa061ced25ca790f0d3139f31178c719cc82ac88601262e2a0ca809708dfa3f6f76ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28722\_queue.pyd

Filesize
27KB

MD5
a48af48dd880c11673469c1ade525558

SHA1
01e9bbcd7eccaa6d5033544e875c7c20f8812124

SHA256
a98e9f330eeaf40ef516237ab5bc1efac1fc49ed321a128be78dd3fb8733e0a4

SHA512
a535dadb79c1ca10506858226442d1d1fb00e5d6f99afa6b539e2506a6627a7bd624a7ee2bc61f55c974113de80fd7a95e6c18e9402736d32d5099077ca1b913

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28722\_socket.pyd

Filesize
74KB

MD5
10cd16bb63862536570c717ffc453da4

SHA1
b3ef50d7ac4652b5c35f1d86a0130fb43dd5a669

SHA256
e002a1bd6fba44681d557b64d439585dba9820226e1c3da5a62628bbaa930ae3

SHA512
55ee581c4005901661efaf9aad6ea39b2b2e265579539d464d62e4209638567b3b9fdd945d0bed0a1047f977d374a5707a970c621ca289077e2d6c5aeca491b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28722\_sqlite3.pyd

Filesize
84KB

MD5
244d92824ef54b139ecd4f2b58a5d9d5

SHA1
ff5696f6e3dc42e578a580299ac53d8c5e11d917

SHA256
fd55c3e3b2863425050619b8d42fe19cf06c1c8e2e11f7076e1f4422663e6851

SHA512
10fba938064bca2b9163d6c0d0a0361d0ebd896e32346cade3e4a439475c223ced59ac8f9c51727d5556149b14990ab62ee6769c35cf067aaac5d63dd5d4688f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28722\_ssl.pyd

Filesize
121KB

MD5
8b5af5ac31b6bde9023a4adc3e7f0ce1

SHA1
c5d7eaaed9be784227a0854bfb8a983058410a35

SHA256
7040d3712f31b7d11882ce8c907452fa725678b646b900f6868f43ab3e4ddab6

SHA512
499aa2321a2e5492c700513d63cf08fc12d3a430a5e9f5d865279919f6d7b74385b6767bbee63616f84b52d02070b16b2d4c3921163c42864f33e7b5331b1444

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28722\base_library.zip

Filesize
768KB

MD5
a99c283c4ac2fbda1f7097cbb11f0709

SHA1
74fc5979610bf09befe6ae9dc10636b3568662e0

SHA256
fda3cdd2a5a0fb8b7a88cf60ec36bcb24701e824592de5dba00eb78fd1a10580

SHA512
79c9fa423f805b97c238e1276301a506315d684510842725b04c264ecfa0764450f8e0a341858ef16360d7edef4e51a3e1600d46c7bfe424d8b7b7fc1824c232

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28722\certifi\cacert.pem

Filesize
274KB

MD5
77eef70800962694031e78c7352738d7

SHA1
b767d89e989477beb79ba2d5b340b0b4f7ae2192

SHA256
732befe49c758070023448f619a3abb088f44e4f05992bc7478dae873be56ad8

SHA512
0b3984f7bf9d37648a26ef5d3a93e15d5c2e8a443df123121ba43ca858939346cca0d613f04f2d9aba5420b1291ef429fea84e60920220086b153aac61a20f2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28722\libcrypto-1_1.dll

Filesize
3.2MB

MD5
bf83f8ad60cb9db462ce62c73208a30d

SHA1
f1bc7dbc1e5b00426a51878719196d78981674c4

SHA256
012866b68f458ec204b9bce067af8f4a488860774e7e17973c49e583b52b828d

SHA512
ae1bdda1c174ddf4205ab19a25737fe523dca6a9a339030cd8a95674c243d0011121067c007be56def4eaeffc40cbdadfdcbd1e61df3404d6a3921d196dcd81e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28722\libssl-1_1.dll

Filesize
670KB

MD5
fe1f3632af98e7b7a2799e3973ba03cf

SHA1
353c7382e2de3ccdd2a4911e9e158e7c78648496

SHA256
1ce7ba99e817c1c2d71bc88a1bdd6fcad82aa5c3e519b91ebd56c96f22e3543b

SHA512
a0123dfe324d3ebf68a44afafca7c6f33d918716f29b063c72c4a8bd2006b81faea6848f4f2423778d57296d7bf4f99a3638fc87b37520f0dcbeefa3a2343de0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28722\python37.dll

Filesize
3.6MB

MD5
c4e99d7375888d873d2478769a8d844c

SHA1
881e42ad9b7da068ee7a6d133484f9d39519ca7e

SHA256
12f26beb439ddf8d56e7544b06a0675d5da6670c02f8f9cede7aad1de71eb116

SHA512
a5b79a919f15cda2c295c8da923ffe5dd30408376e459669e4e376b9d4d504d43671518d7085352bb90c4ce4efc6d81c91ac6cedbdaa896f916d80f7346a695b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28722\select.pyd

Filesize
26KB

MD5
39b7c056bca546778690b9922315f9ff

SHA1
5f62169c8de1f72db601d30b37d157478723859b

SHA256
9514b4c40c35396b1952a8acf805e993a3875b37370f44ef36ed33c7151412ef

SHA512
229538131d83299ea90652818c99972c1ee692c070e7fea9599420c99dd8ae75fb2367e9509aad23984fe0a8d21221a59bd57493b5cd1d6c7391c3c55d714e94

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28722\sqlite3.dll

Filesize
1.2MB

MD5
8e75a7cf495ee6c1381b1f4a7979f736

SHA1
b6d250bf8d3b04f5666d2eedb7c6eb96614a0081

SHA256
48a58913429af487390f4bf7bb1c6790a0a9980ecc6b7a78238cd685f8a2baad

SHA512
78c32021a6c3af8a85acaa20481db9b49cbeccc755123d31b50a207cd5925833e454b3cdfc06b51e4b25f49b27e02693a067933f4d697f830cb3b985eeaf13a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28722\unicodedata.pyd

Filesize
1.0MB

MD5
d2ab7f9a441bb139feeb0e11eb600371

SHA1
467aeb881fccd4a43a16f319635da81f05279cc6

SHA256
465ab1b24c39a5a5da9415c96740dfdb4d071b25a7a87e275841e1d66a57e88f

SHA512
cf8eaae07c176fab5ca54a3935ec2fd6933e3f2d0ca107bf60f1389f2258865d101685918c7a04802da2a97980747935f1b56b0da3d1db3a1ea282f74db0b6a0

Download Submit
memory/1872-71-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/1872-73-0x0000000000400000-0x0000000001486000-memory.dmp

Filesize
16.5MB

Download
memory/1872-72-0x0000000000330000-0x000000000039A000-memory.dmp

Filesize
424KB

Download
memory/2160-0-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2160-1-0x0000000001490000-0x00000000014FA000-memory.dmp

Filesize
424KB

Download
memory/2160-2-0x0000000000400000-0x0000000001486000-memory.dmp

Filesize
16.5MB

Download