Windows Analysis Report
unturnedHack.exe

Overview

General Information

Sample name:	unturnedHack.exe
Analysis ID:	1561488
MD5:	c5293ff604e4231fdffaa092fd7c5ca8
SHA1:	9e8aeb9ec19b8a6d534360883188872a257bb337
SHA256:	4531a1efd815df17d3a6f247d0850ab5e510de2345723e41c062716e65df686e
Tags:	exeuser-4k95m
Infos:

Detection

CredGrabber, Meduza Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Suricata IDS alerts for network traffic

Yara detected CredGrabber

Yara detected Meduza Stealer

AI detected suspicious sample

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Modifies the context of a thread in another process (thread injection)

Self deletion via cmd or bat file

Sigma detected: Suspicious Ping/Del Command Combination

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses ping.exe to check the status of other devices and networks

Uses ping.exe to sleep

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to dynamically determine API calls

Contains functionality to launch a program with higher privileges

Contains functionality to query locales information (e.g. system language)

Contains functionality to record screenshots

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found evasive API chain checking for process token information

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Queries time zone information

Sample execution stops while process was sleeping (likely an evasion)

Suricata IDS alerts with low severity for network traffic

Terminates after testing mutex exists (may check infected machine status)

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

AV Detection

Found malware configuration

Source: 1.2.unturnedHack.exe.140000000.0.unpack

Malware Configuration Extractor: Meduza Stealer {"C2 url": "109.107.181.162", "anti_vm": true, "anti_dbg": true, "port": 15666, "build_name": "761", "self_destruct": true, "extensions": "none", "links": "none", "grabber_max_size": 1048576}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for sample

Source: unturnedHack.exe

Joe Sandbox ML: detected

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_0000000140074DB0 CryptUnprotectData,LocalFree,	1_2_0000000140074DB0
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_0000000140112090 CryptUnprotectData,	1_2_0000000140112090
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_00000001400750D0 CryptProtectData,LocalFree,	1_2_00000001400750D0
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_0000000140038910 CryptUnprotectData,LocalFree,	1_2_0000000140038910

Source: unknown

HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.4:49731 version: TLS 1.2

Source: unturnedHack.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_00000001400EB530 FindClose,FindFirstFileExW,GetLastError,	1_2_00000001400EB530
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_00000001400EB5E0 GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,__std_fs_open_handle,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,CloseHandle,CloseHandle,	1_2_00000001400EB5E0
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_0000000140037AA0 FindFirstFileW,FindNextFileW,	1_2_0000000140037AA0

Source: C:\Users\user\Desktop\unturnedHack.exe

Code function: 1_2_0000000140084A60 GetLogicalDriveStringsW,

1_2_0000000140084A60

Source: C:\Users\user\Desktop\unturnedHack.exe	File opened: D:\sources\migration\	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	File opened: D:\sources\replacementmanifests\	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	File opened: D:\sources\migration\wtr\	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	File opened: D:\sources\replacementmanifests\microsoft-activedirectory-webservices\	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	File opened: D:\sources\replacementmanifests\microsoft-client-license-platform-service-migration\	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	File opened: D:\sources\replacementmanifests\hwvid-migration-2\	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2049441 - Severity 1 - ET MALWARE Win32/Unknown Grabber Base64 Data Exfiltration Attempt : 192.168.2.4:49730 -> 109.107.181.162:15666
Source: Network traffic	Suricata IDS: 2050806 - Severity 1 - ET MALWARE [ANY.RUN] Meduza Stealer Exfiltration M2 : 192.168.2.4:49730 -> 109.107.181.162:15666

Uses ping.exe to check the status of other devices and networks

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\PING.EXE ping 1.1.1.1 -n 1 -w 3000

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.4:49730 -> 109.107.181.162:15666

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1Accept: text/html; text/plain; */*Host: api.ipify.orgCache-Control: no-cache

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 109.107.181.162 109.107.181.162
Source: Joe Sandbox View	IP Address: 104.26.13.205 104.26.13.205
Source: Joe Sandbox View	IP Address: 104.26.13.205 104.26.13.205

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: TELEPORT-TV-ASRU TELEPORT-TV-ASRU

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

May check the online IP address of the machine

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Suricata IDS alerts with low severity for network traffic

Source: Network traffic

Suricata IDS: 2050807 - Severity 1 - ET MALWARE [ANY.RUN] Possible Meduza Stealer Exfiltration (TCP) : 192.168.2.4:49730 -> 109.107.181.162:15666

Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162

Source: C:\Users\user\Desktop\unturnedHack.exe

Code function: 1_2_0000000140082890 InternetOpenA,InternetOpenUrlA,HttpQueryInfoW,HttpQueryInfoW,InternetQueryDataAvailable,InternetReadFile,InternetQueryDataAvailable,InternetCloseHandle,Concurrency::cancel_current_task,

1_2_0000000140082890

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1Accept: text/html; text/plain; */*Host: api.ipify.orgCache-Control: no-cache

Source: global traffic

DNS traffic detected: DNS query: api.ipify.org

Source: unturnedHack.exe, 00000001.00000003.1695750238.000002A22FF41000.00000004.00000020.00020000.00000000.sdmp, unturnedHack.exe, 00000001.00000003.1942978080.000002A22FF54000.00000004.00000020.00020000.00000000.sdmp, unturnedHack.exe, 00000001.00000003.1942952611.000002A22FF50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ns.microsoft.t/Regi
Source: unturnedHack.exe, 00000001.00000003.1697272919.000002A230697000.00000004.00000020.00020000.00000000.sdmp, unturnedHack.exe, 00000001.00000003.1697076524.000002A22DD0B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: unturnedHack.exe, 00000001.00000002.1943610876.000002A22DC87000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: unturnedHack.exe, 00000001.00000003.1706023274.000002A22F9A4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
Source: unturnedHack.exe, 00000001.00000003.1706043718.000002A22DD0A000.00000004.00000020.00020000.00000000.sdmp, unturnedHack.exe, 00000001.00000003.1706023274.000002A22F9A4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
Source: unturnedHack.exe, 00000001.00000003.1697272919.000002A230697000.00000004.00000020.00020000.00000000.sdmp, unturnedHack.exe, 00000001.00000003.1697076524.000002A22DD0B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: unturnedHack.exe, 00000001.00000003.1697272919.000002A230697000.00000004.00000020.00020000.00000000.sdmp, unturnedHack.exe, 00000001.00000003.1697076524.000002A22DD0B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: unturnedHack.exe, 00000001.00000003.1697272919.000002A230697000.00000004.00000020.00020000.00000000.sdmp, unturnedHack.exe, 00000001.00000003.1697076524.000002A22DD0B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: unturnedHack.exe, 00000001.00000003.1706023274.000002A22F9A4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
Source: unturnedHack.exe, 00000001.00000003.1706043718.000002A22DD0A000.00000004.00000020.00020000.00000000.sdmp, unturnedHack.exe, 00000001.00000003.1706023274.000002A22F9A4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: unturnedHack.exe, 00000001.00000003.1697272919.000002A230697000.00000004.00000020.00020000.00000000.sdmp, unturnedHack.exe, 00000001.00000003.1697076524.000002A22DD0B000.00000004.00000020.00020000.00000000.sdmp, unturnedHack.exe, 00000001.00000003.1696833003.000002A23067E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: unturnedHack.exe, 00000001.00000003.1697272919.000002A230697000.00000004.00000020.00020000.00000000.sdmp, unturnedHack.exe, 00000001.00000003.1697076524.000002A22DD0B000.00000004.00000020.00020000.00000000.sdmp, unturnedHack.exe, 00000001.00000003.1696833003.000002A23067E000.00000004.00000020.00020000.00000000.sdmp, unturnedHack.exe, 00000001.00000003.1697272919.000002A23067F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: unturnedHack.exe, 00000001.00000003.1697272919.000002A230697000.00000004.00000020.00020000.00000000.sdmp, unturnedHack.exe, 00000001.00000003.1697076524.000002A22DD0B000.00000004.00000020.00020000.00000000.sdmp, unturnedHack.exe, 00000001.00000003.1696833003.000002A23067E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: unturnedHack.exe, 00000001.00000003.1706023274.000002A22F9A4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
Source: unturnedHack.exe, 00000001.00000003.1705344411.000002A230798000.00000004.00000020.00020000.00000000.sdmp, unturnedHack.exe, 00000001.00000003.1702320125.000002A230976000.00000004.00000020.00020000.00000000.sdmp, unturnedHack.exe, 00000001.00000003.1705533318.000002A2306C4000.00000004.00000020.00020000.00000000.sdmp, unturnedHack.exe, 00000001.00000003.1700589020.000002A22FB8B000.00000004.00000020.00020000.00000000.sdmp, unturnedHack.exe, 00000001.00000003.1700589020.000002A22FB83000.00000004.00000020.00020000.00000000.sdmp, unturnedHack.exe, 00000001.00000003.1700589020.000002A22FB0C000.00000004.00000020.00020000.00000000.sdmp, unturnedHack.exe, 00000001.00000003.1700589020.000002A22FB04000.00000004.00000020.00020000.00000000.sdmp, unturnedHack.exe, 00000001.00000003.1700589020.000002A22FAB8000.00000004.00000020.00020000.00000000.sdmp, unturnedHack.exe, 00000001.00000003.1705344411.000002A230790000.00000004.00000020.00020000.00000000.sdmp, unturnedHack.exe, 00000001.00000003.1705452295.000002A230750000.00000004.00000020.00020000.00000000.sdmp, unturnedHack.exe, 00000001.00000003.1705533318.000002A2306BC000.00000004.00000020.00020000.00000000.sdmp, unturnedHack.exe, 00000001.00000003.1700589020.000002A22FAB0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org
Source: unturnedHack.exe, 00000001.00000003.1700589020.000002A22FB93000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: unturnedHack.exe, 00000001.00000003.1700589020.000002A22FB93000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
Source: unturnedHack.exe, 00000001.00000003.1697819366.000002A23067D000.00000004.00000020.00020000.00000000.sdmp, unturnedHack.exe, 00000001.00000003.1697955109.000002A22DD0A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: unturnedHack.exe, 00000001.00000003.1697819366.000002A23067D000.00000004.00000020.00020000.00000000.sdmp, unturnedHack.exe, 00000001.00000003.1697638188.000002A230695000.00000004.00000020.00020000.00000000.sdmp, unturnedHack.exe, 00000001.00000003.1697942439.000002A22F9A3000.00000004.00000020.00020000.00000000.sdmp, unturnedHack.exe, 00000001.00000003.1697819366.000002A230659000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: unturnedHack.exe, 00000001.00000003.1697819366.000002A23067D000.00000004.00000020.00020000.00000000.sdmp, unturnedHack.exe, 00000001.00000003.1697955109.000002A22DD0A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: unturnedHack.exe, 00000001.00000003.1697819366.000002A23067D000.00000004.00000020.00020000.00000000.sdmp, unturnedHack.exe, 00000001.00000003.1697638188.000002A230695000.00000004.00000020.00020000.00000000.sdmp, unturnedHack.exe, 00000001.00000003.1697942439.000002A22F9A3000.00000004.00000020.00020000.00000000.sdmp, unturnedHack.exe, 00000001.00000003.1697819366.000002A230659000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: unturnedHack.exe, 00000001.00000003.1706043718.000002A22DD0A000.00000004.00000020.00020000.00000000.sdmp, unturnedHack.exe, 00000001.00000003.1706023274.000002A22F9A4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94
Source: unturnedHack.exe, 00000001.00000003.1697272919.000002A230697000.00000004.00000020.00020000.00000000.sdmp, unturnedHack.exe, 00000001.00000003.1697076524.000002A22DD0B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: unturnedHack.exe, 00000001.00000003.1706043718.000002A22DD0A000.00000004.00000020.00020000.00000000.sdmp, unturnedHack.exe, 00000001.00000003.1706023274.000002A22F9A4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
Source: unturnedHack.exe, 00000001.00000003.1697272919.000002A230697000.00000004.00000020.00020000.00000000.sdmp, unturnedHack.exe, 00000001.00000003.1697076524.000002A22DD0B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: unturnedHack.exe, 00000001.00000003.1705344411.000002A230798000.00000004.00000020.00020000.00000000.sdmp, unturnedHack.exe, 00000001.00000003.1702320125.000002A230976000.00000004.00000020.00020000.00000000.sdmp, unturnedHack.exe, 00000001.00000003.1705533318.000002A2306C4000.00000004.00000020.00020000.00000000.sdmp, unturnedHack.exe, 00000001.00000003.1700589020.000002A22FB8B000.00000004.00000020.00020000.00000000.sdmp, unturnedHack.exe, 00000001.00000003.1700589020.000002A22FB83000.00000004.00000020.00020000.00000000.sdmp, unturnedHack.exe, 00000001.00000003.1700589020.000002A22FB0C000.00000004.00000020.00020000.00000000.sdmp, unturnedHack.exe, 00000001.00000003.1700589020.000002A22FB04000.00000004.00000020.00020000.00000000.sdmp, unturnedHack.exe, 00000001.00000003.1700589020.000002A22FAB8000.00000004.00000020.00020000.00000000.sdmp, unturnedHack.exe, 00000001.00000003.1705344411.000002A230790000.00000004.00000020.00020000.00000000.sdmp, unturnedHack.exe, 00000001.00000003.1705452295.000002A230750000.00000004.00000020.00020000.00000000.sdmp, unturnedHack.exe, 00000001.00000003.1705533318.000002A2306BC000.00000004.00000020.00020000.00000000.sdmp, unturnedHack.exe, 00000001.00000003.1700589020.000002A22FAB0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org
Source: unturnedHack.exe, 00000001.00000003.1700589020.000002A22FB93000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: unturnedHack.exe, 00000001.00000003.1700589020.000002A22FB93000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: unturnedHack.exe, 00000001.00000003.1700589020.000002A22FABF000.00000004.00000020.00020000.00000000.sdmp, unturnedHack.exe, 00000001.00000003.1705344411.000002A2307A0000.00000004.00000020.00020000.00000000.sdmp, unturnedHack.exe, 00000001.00000003.1703473243.000002A230DC2000.00000004.00000020.00020000.00000000.sdmp, unturnedHack.exe, 00000001.00000003.1700589020.000002A22FB14000.00000004.00000020.00020000.00000000.sdmp, unturnedHack.exe, 00000001.00000003.1700589020.000002A22FB93000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: unturnedHack.exe, 00000001.00000003.1700589020.000002A22FB93000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: unturnedHack.exe, 00000001.00000003.1700589020.000002A22FABF000.00000004.00000020.00020000.00000000.sdmp, unturnedHack.exe, 00000001.00000003.1705344411.000002A2307A0000.00000004.00000020.00020000.00000000.sdmp, unturnedHack.exe, 00000001.00000003.1703473243.000002A230DC2000.00000004.00000020.00020000.00000000.sdmp, unturnedHack.exe, 00000001.00000003.1700589020.000002A22FB14000.00000004.00000020.00020000.00000000.sdmp, unturnedHack.exe, 00000001.00000003.1700589020.000002A22FB93000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443

Source: unknown

HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.4:49731 version: TLS 1.2

Contains functionality to record screenshots

Source: C:\Users\user\Desktop\unturnedHack.exe

Code function: 1_2_00000001400831C0 GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetDC,GetDeviceCaps,GetDeviceCaps,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,SHCreateMemStream,SelectObject,DeleteDC,ReleaseDC,DeleteObject,EnterCriticalSection,LeaveCriticalSection,IStream_Size,IStream_Reset,IStream_Read,SelectObject,DeleteDC,ReleaseDC,DeleteObject,

1_2_00000001400831C0

Contains functionality to call native functions

Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_0000000140088390 RtlAcquirePebLock,NtAllocateVirtualMemory,lstrcpyW,lstrcatW,NtAllocateVirtualMemory,lstrcpyW,RtlInitUnicodeString,RtlInitUnicodeString,LdrEnumerateLoadedModules,RtlReleasePebLock,CoInitializeEx,lstrcpyW,lstrcatW,CoGetObject,lstrcpyW,lstrcatW,CoGetObject,CoUninitialize,	1_2_0000000140088390
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_0000000140112728 NtAllocateVirtualMemory,	1_2_0000000140112728
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_0000000140087C90 GetModuleHandleA,GetProcAddress,OpenProcess,NtQuerySystemInformation,NtQuerySystemInformation,GetCurrentProcess,NtQueryObject,GetFinalPathNameByHandleA,CloseHandle,CloseHandle,	1_2_0000000140087C90

Detected potential crypto function

Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_00000001400C2000	1_2_00000001400C2000
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_00000001400C3180	1_2_00000001400C3180
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_00000001400831C0	1_2_00000001400831C0
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_0000000140064200	1_2_0000000140064200
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_000000014003E240	1_2_000000014003E240
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_0000000140032260	1_2_0000000140032260
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_00000001400F2268	1_2_00000001400F2268
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_000000014005D2B0	1_2_000000014005D2B0
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_000000014003F2E0	1_2_000000014003F2E0
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_0000000140045430	1_2_0000000140045430
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_00000001400AA588	1_2_00000001400AA588
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_00000001400EB5E0	1_2_00000001400EB5E0
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_000000014007C5E0	1_2_000000014007C5E0
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_00000001400856A0	1_2_00000001400856A0
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_00000001400796D0	1_2_00000001400796D0
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_000000014003D6E0	1_2_000000014003D6E0
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_00000001400C4890	1_2_00000001400C4890
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_0000000140082890	1_2_0000000140082890
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_000000014003F890	1_2_000000014003F890
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_000000014008C9C0	1_2_000000014008C9C0
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_0000000140034A50	1_2_0000000140034A50
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_0000000140037AA0	1_2_0000000140037AA0
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_0000000140031B70	1_2_0000000140031B70
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_00000001400CDBC0	1_2_00000001400CDBC0
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_0000000140084D10	1_2_0000000140084D10
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_0000000140083EC0	1_2_0000000140083EC0
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_0000000140079F00	1_2_0000000140079F00
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_0000000140008000	1_2_0000000140008000
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_0000000140051070	1_2_0000000140051070
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_000000014008C090	1_2_000000014008C090
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_00000001400730F0	1_2_00000001400730F0
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_0000000140058150	1_2_0000000140058150
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_00000001400701A0	1_2_00000001400701A0
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_000000014006F200	1_2_000000014006F200
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_000000014009F268	1_2_000000014009F268
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_00000001400782D0	1_2_00000001400782D0
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_00000001400592D0	1_2_00000001400592D0
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_00000001400B32E0	1_2_00000001400B32E0
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_0000000140088390	1_2_0000000140088390
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_000000014009F384	1_2_000000014009F384
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_0000000140007460	1_2_0000000140007460
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_00000001400EE4B0	1_2_00000001400EE4B0
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_00000001400CE500	1_2_00000001400CE500
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_000000014006F500	1_2_000000014006F500
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_00000001400C4530	1_2_00000001400C4530
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_00000001400DB540	1_2_00000001400DB540
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_000000014004F570	1_2_000000014004F570
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_00000001400735A6	1_2_00000001400735A6
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_000000014003A5AD	1_2_000000014003A5AD
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_00000001400675D0	1_2_00000001400675D0
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_000000014005C6B0	1_2_000000014005C6B0
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_00000001400296B0	1_2_00000001400296B0
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_00000001400886E0	1_2_00000001400886E0
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_0000000140075760	1_2_0000000140075760
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_000000014009D7E0	1_2_000000014009D7E0
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_00000001400277F0	1_2_00000001400277F0
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_0000000140026800	1_2_0000000140026800
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_000000014009B810	1_2_000000014009B810
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_000000014006B810	1_2_000000014006B810
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_00000001400AA804	1_2_00000001400AA804
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_00000001400DA820	1_2_00000001400DA820
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_000000014006F830	1_2_000000014006F830
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_00000001400DA840	1_2_00000001400DA840
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_0000000140032890	1_2_0000000140032890
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_000000014007B8B0	1_2_000000014007B8B0
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_00000001400078F0	1_2_00000001400078F0
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_00000001400949B4	1_2_00000001400949B4
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_00000001400799C3	1_2_00000001400799C3
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_00000001400C89E0	1_2_00000001400C89E0
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_0000000140098ABC	1_2_0000000140098ABC
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_00000001400A8B08	1_2_00000001400A8B08
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_00000001400CFB20	1_2_00000001400CFB20
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_000000014006FB50	1_2_000000014006FB50
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_0000000140038B60	1_2_0000000140038B60
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_00000001400CAB70	1_2_00000001400CAB70
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_0000000140083BA0	1_2_0000000140083BA0
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_00000001400C1BC0	1_2_00000001400C1BC0
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_00000001400F1BCC	1_2_00000001400F1BCC
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_00000001400C6C00	1_2_00000001400C6C00
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_00000001400CBC80	1_2_00000001400CBC80
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_0000000140032C90	1_2_0000000140032C90
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_0000000140072CB0	1_2_0000000140072CB0
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_0000000140098CC0	1_2_0000000140098CC0
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_00000001400A1CB8	1_2_00000001400A1CB8
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_000000014004DDA0	1_2_000000014004DDA0
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_0000000140005DC0	1_2_0000000140005DC0
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_0000000140096DF0	1_2_0000000140096DF0
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_00000001400AADF4	1_2_00000001400AADF4
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_00000001400ABE30	1_2_00000001400ABE30
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_000000014006FE70	1_2_000000014006FE70
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_0000000140050E80	1_2_0000000140050E80
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_0000000140094EC0	1_2_0000000140094EC0
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_0000000140098EC4	1_2_0000000140098EC4
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_0000000140071F40	1_2_0000000140071F40
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_0000000140052F80	1_2_0000000140052F80

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: String function: 000000014002E1B0 appears 32 times
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: String function: 0000000140030910 appears 31 times

PE file contains more sections than normal

Source: unturnedHack.exe

Static PE information: Number of sections : 11 > 10

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@8/1@1/2

Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_0000000140089910 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,		1_2_0000000140089910
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_0000000140112008 AdjustTokenPrivileges,CredEnumerateA,		1_2_0000000140112008

Source: C:\Users\user\Desktop\unturnedHack.exe

Code function: 1_2_000000014003F2E0 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

1_2_000000014003F2E0

Source: C:\Users\user\Desktop\unturnedHack.exe

Code function: 1_2_000000014007209A CoCreateInstance,

1_2_000000014007209A

Source: C:\Users\user\Desktop\unturnedHack.exe	Mutant created: \Sessions\1\BaseNamedObjects\Mmm-A33C734061CA11EE8C18806E6F6E6963F7A8ECA9
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2800:120:WilError_03

Source: unturnedHack.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\unturnedHack.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\unturnedHack.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\unturnedHack.exe "C:\Users\user\Desktop\unturnedHack.exe"
Source: C:\Users\user\Desktop\unturnedHack.exe	Process created: C:\Users\user\Desktop\unturnedHack.exe "C:\Users\user\Desktop\unturnedHack.exe"
Source: C:\Users\user\Desktop\unturnedHack.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\user\Desktop\unturnedHack.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping 1.1.1.1 -n 1 -w 3000
Source: C:\Users\user\Desktop\unturnedHack.exe	Process created: C:\Users\user\Desktop\unturnedHack.exe "C:\Users\user\Desktop\unturnedHack.exe"	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\user\Desktop\unturnedHack.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping 1.1.1.1 -n 1 -w 3000	Jump to behavior

Source: C:\Users\user\Desktop\unturnedHack.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	Section loaded: drprov.dll	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	Section loaded: ntlanman.dll	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	Section loaded: davclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	Section loaded: davhlpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: mswsock.dll	Jump to behavior

Source: C:\Users\user\Desktop\unturnedHack.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\unturnedHack.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: unturnedHack.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: unturnedHack.exe

Static file information: File size 4269056 > 1048576

Source: unturnedHack.exe

Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x38c000

Source: unturnedHack.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: unturnedHack.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: unturnedHack.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: unturnedHack.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: unturnedHack.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: unturnedHack.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\unturnedHack.exe

Code function: 1_2_000000014003E240 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,

1_2_000000014003E240

PE file contains sections with non-standard names

Source: unturnedHack.exe	Static PE information: section name: .00cfg
Source: unturnedHack.exe	Static PE information: section name: .gxfg
Source: unturnedHack.exe	Static PE information: section name: .retplne
Source: unturnedHack.exe	Static PE information: section name: _RDATA

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\unturnedHack.exe

Code function: 1_2_000000014006B0F9 push rcx; iretd

1_2_000000014006B0FC

Terminates after testing mutex exists (may check infected machine status)

Source: C:\Users\user\Desktop\unturnedHack.exe

Code function: 1_2_00000001400796D0 ExitProcess,OpenMutexA,ExitProcess,CreateMutexA,CreateMutexExA,ExitProcess,ReleaseMutex,CloseHandle,

1_2_00000001400796D0

Hooking and other Techniques for Hiding and Protection

Self deletion via cmd or bat file

Source: C:\Users\user\Desktop\unturnedHack.exe	Process created: "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\user\Desktop\unturnedHack.exe"
Source: C:\Users\user\Desktop\unturnedHack.exe	Process created: "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\user\Desktop\unturnedHack.exe"			Jump to behavior

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Desktop\unturnedHack.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\unturnedHack.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Uses ping.exe to sleep

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping 1.1.1.1 -n 1 -w 3000
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping 1.1.1.1 -n 1 -w 3000			Jump to behavior

Found evasive API chain checking for process token information

Source: C:\Users\user\Desktop\unturnedHack.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_00000001400EB530 FindClose,FindFirstFileExW,GetLastError,	1_2_00000001400EB530
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_00000001400EB5E0 GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,__std_fs_open_handle,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,CloseHandle,CloseHandle,	1_2_00000001400EB5E0
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_0000000140037AA0 FindFirstFileW,FindNextFileW,	1_2_0000000140037AA0

Source: C:\Users\user\Desktop\unturnedHack.exe

Code function: 1_2_0000000140084A60 GetLogicalDriveStringsW,

1_2_0000000140084A60

Source: C:\Users\user\Desktop\unturnedHack.exe

Code function: 1_2_00000001400C83D0 GetSystemInfo,LoadLibraryA,GetProcAddress,GetCurrentProcess,VirtualAlloc2,

1_2_00000001400C83D0

Source: C:\Users\user\Desktop\unturnedHack.exe	File opened: D:\sources\migration\	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	File opened: D:\sources\replacementmanifests\	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	File opened: D:\sources\migration\wtr\	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	File opened: D:\sources\replacementmanifests\microsoft-activedirectory-webservices\	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	File opened: D:\sources\replacementmanifests\microsoft-client-license-platform-service-migration\	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	File opened: D:\sources\replacementmanifests\hwvid-migration-2\	Jump to behavior

Source: unturnedHack.exe	Binary or memory string: VBoxGuest
Source: unturnedHack.exe	Binary or memory string: VBoxMouse
Source: unturnedHack.exe	Binary or memory string: VBoxTray
Source: unturnedHack.exe	Binary or memory string: VBoxMRXNP
Source: unturnedHack.exe, 00000001.00000002.1943610876.000002A22DCCF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: unturnedHack.exe, 00000001.00000003.1696203175.000002A22DCFA000.00000004.00000020.00020000.00000000.sdmp, unturnedHack.exe, 00000001.00000002.1943610876.000002A22DC87000.00000004.00000020.00020000.00000000.sdmp, unturnedHack.exe, 00000001.00000002.1943610876.000002A22DCF7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: unturnedHack.exe	Binary or memory string: VBoxHook
Source: unturnedHack.exe	Binary or memory string: VBoxSF

Source: C:\Users\user\Desktop\unturnedHack.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\unturnedHack.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\unturnedHack.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\unturnedHack.exe

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\unturnedHack.exe

Code function: 1_2_0000000140088390 RtlAcquirePebLock,NtAllocateVirtualMemory,lstrcpyW,lstrcatW,NtAllocateVirtualMemory,lstrcpyW,RtlInitUnicodeString,RtlInitUnicodeString,LdrEnumerateLoadedModules,RtlReleasePebLock,CoInitializeEx,lstrcpyW,lstrcatW,CoGetObject,lstrcpyW,lstrcatW,CoGetObject,CoUninitialize,

1_2_0000000140088390

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\unturnedHack.exe

Code function: 1_2_0000000140112300 IsDebuggerPresent,

1_2_0000000140112300

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Users\user\Desktop\unturnedHack.exe

Code function: 1_2_00000001400EDBBC GetLastError,IsDebuggerPresent,OutputDebugStringW,

1_2_00000001400EDBBC

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\unturnedHack.exe

Code function: 1_2_000000014003E240 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,

1_2_000000014003E240

Enables debug privileges

Source: C:\Users\user\Desktop\unturnedHack.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_0000000140112310 SetUnhandledExceptionFilter,		1_2_0000000140112310
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_00000001400938D8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		1_2_00000001400938D8

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\unturnedHack.exe

Memory written: C:\Users\user\Desktop\unturnedHack.exe base: 140000000 value starts with: 4D5A

Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\Desktop\unturnedHack.exe

Thread register set: target process: 6668

Jump to behavior

Contains functionality to launch a program with higher privileges

Source: C:\Users\user\Desktop\unturnedHack.exe

Code function: 1_2_00000001400782D0 ShellExecuteW,

1_2_00000001400782D0

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\unturnedHack.exe	Process created: C:\Users\user\Desktop\unturnedHack.exe "C:\Users\user\Desktop\unturnedHack.exe"	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\user\Desktop\unturnedHack.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping 1.1.1.1 -n 1 -w 3000	Jump to behavior

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: GetLocaleInfoEx,FormatMessageA,	1_2_00000001400EB1A0
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW,	1_2_00000001400B0350
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: GetLocaleInfoW,	1_2_00000001401123D0
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: GetLocaleInfoW,	1_2_00000001400A5418
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: EnumSystemLocalesW,	1_2_00000001400B06AC
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: EnumSystemLocalesW,	1_2_00000001400B077C
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	1_2_00000001400B0BB4
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	1_2_00000001400B0D98
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: EnumSystemLocalesW,	1_2_00000001400A4ED8

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\unturnedHack.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Queries time zone information

Source: C:\Users\user\Desktop\unturnedHack.exe

Key value queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\TimeZoneInformation TimeZoneKeyName

Jump to behavior

Source: C:\Users\user\Desktop\unturnedHack.exe

Code function: 0_2_00007FF6C0A0FDE4 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF6C0A0FDE4

Source: C:\Users\user\Desktop\unturnedHack.exe

Code function: 1_2_00000001400837A0 GetUserNameW,

1_2_00000001400837A0

Source: C:\Users\user\Desktop\unturnedHack.exe

Code function: 1_2_00000001400AA588 _get_daylight,_get_daylight,_get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,

1_2_00000001400AA588

Stealing of Sensitive Information

Yara detected CredGrabber

Source: Yara match

File source: Process Memory Space: unturnedHack.exe PID: 6668, type: MEMORYSTR

Yara detected Meduza Stealer

Source: Yara match	File source: 1.2.unturnedHack.exe.140000000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.unturnedHack.exe.140000000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.1943610876.000002A22DC87000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1943060514.0000000140000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: unturnedHack.exe PID: 6668, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: unturnedHack.exe, 00000001.00000002.1943610876.000002A22DC87000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Electrum\wallets
Source: unturnedHack.exe, 00000001.00000002.1943610876.000002A22DC87000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ElectronCash\config
Source: unturnedHack.exe, 00000001.00000002.1943610876.000002A22DCCF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: KHg2NCkgWzIzLjAxXQpNb3ppbGxhIEZpcmVmb3ggKHg2NCBlbi1VUykgWzExOC4wLjFdCk1vemlsbGEgTWFpbnRlbmFuY2UgU2VydmljZSBbMTE4LjAuMV0KTWljcm9zb2Z0IE9mZmljZSBQcm9mZXNzaW9uYWwgUGx1cyAyMDE5IC0gZW4tdXMgWzE2LjAuMTY4MjcuMjAxMzBdCk1pY3Jvc29mdCBWaXN1YWwgQysrIDIwMjIgWDY0IEFkZGl0aW9uYWwgUnVudGltZSAtIDE0LjM2LjMyNTMyIFsxNC4zNi4zMjUzMl0KT2ZmaWNlIDE2IENsaWNrLXRvLVJ1biBMaWNlbnNpbmcgQ29tcG9uZW50IFsxNi4wLjE2ODI3LjIwMTMwXQpPZmZpY2UgMTYgQ2xpY2stdG8tUnVuIEV4dGVuc2liaWxpdHkgQ29tcG9uZW50IDY0LWJpdCBSZWdpc3RyYXRpb24gWzE2LjAuMTY4MjcuMjAwNTZdCkFkb2JlIEFjcm9iYXQgKDY0LWJpdCkgWzIzLjAwNi4yMDMyMF0KTWljcm9zb2Z0IFZpc3VhbCBDKysgMjAyMiBYNjQgTWluaW11bSBSdW50aW1lIC0gMTQuMzYuMzI1MzIgWzE0LjM2LjMyNTMyXQpHb29nbGUgQ2hyb21lIFsxMTcuMC41OTM4LjEzMl0KTWljcm9zb2Z0IEVkZ2UgWzExNy4wLjIwNDUuNDddCk1pY3Jvc29mdCBFZGdlIFVwZGF0ZSBbMS4zLjE3Ny4xMV0KTWljcm9zb2Z0IEVkZ2UgV2ViVmlldzIgUnVudGltZSBbMTE3LjAuMjA0NS40N10KSmF2YSBBdXRvIFVwZGF0ZXIgWzIuOC4zODEuOV0KSmF2YSA4IFVwZGF0ZSAzODEgWzguMC4zODEwLjldCk1pY3Jvc29mdCBWaXN1YWwgQysrIDIwMTUtMjAyMiBSZWRpc3RyaWJ1dGFibGUgKHg2NCkgLSAxNC4zNi4zMjUzMiBbMTQuMzYuMzI1MzIuMF0KT2ZmaWNlIDE2IENsaWNrLXRvLVJ1biBFeHRlbnNpYmlsaXR5IENvbXBvbmVudCBbMTYuMC4xNjgyNy4yMDEzMF0K
Source: unturnedHack.exe, 00000001.00000002.1943610876.000002A22DC87000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Exodus\exodus.wallet
Source: unturnedHack.exe, 00000001.00000002.1943610876.000002A22DC87000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Ethereum\keystore
Source: unturnedHack.exe, 00000001.00000002.1943610876.000002A22DC87000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Ethereum\keystore

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Users\user\Desktop\unturnedHack.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\unturnedHack.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG.old	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOCK	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\MANIFEST-000001	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\unturnedHack.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Remote Access Functionality

Yara detected CredGrabber

Source: Yara match

File source: Process Memory Space: unturnedHack.exe PID: 6668, type: MEMORYSTR

Yara detected Meduza Stealer

Source: Yara match	File source: 1.2.unturnedHack.exe.140000000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.unturnedHack.exe.140000000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.1943610876.000002A22DC87000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1943060514.0000000140000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: unturnedHack.exe PID: 6668, type: MEMORYSTR

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
109.107.181.162	unknown	Russian Federation		49973	TELEPORT-TV-ASRU	true
104.26.13.205	api.ipify.org	United States		13335	CLOUDFLARENETUS	false

Contacted Domains

Name	IP	Active
api.ipify.org	104.26.13.205	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.ipify.org/	false		high

AV Detection

Found malware configuration

Source: 1.2.unturnedHack.exe.140000000.0.unpack

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for sample

Source: unturnedHack.exe

Joe Sandbox ML: detected

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_0000000140074DB0 CryptUnprotectData,LocalFree,	1_2_0000000140074DB0
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_0000000140112090 CryptUnprotectData,	1_2_0000000140112090
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_00000001400750D0 CryptProtectData,LocalFree,	1_2_00000001400750D0
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_0000000140038910 CryptUnprotectData,LocalFree,	1_2_0000000140038910

Source: unknown

HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.4:49731 version: TLS 1.2

Source: unturnedHack.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_00000001400EB530 FindClose,FindFirstFileExW,GetLastError,	1_2_00000001400EB530
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_00000001400EB5E0 GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,__std_fs_open_handle,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,CloseHandle,CloseHandle,	1_2_00000001400EB5E0
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_0000000140037AA0 FindFirstFileW,FindNextFileW,	1_2_0000000140037AA0

Source: C:\Users\user\Desktop\unturnedHack.exe

Code function: 1_2_0000000140084A60 GetLogicalDriveStringsW,

1_2_0000000140084A60

Source: C:\Users\user\Desktop\unturnedHack.exe	File opened: D:\sources\migration\	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	File opened: D:\sources\replacementmanifests\	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	File opened: D:\sources\migration\wtr\	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	File opened: D:\sources\replacementmanifests\microsoft-activedirectory-webservices\	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	File opened: D:\sources\replacementmanifests\microsoft-client-license-platform-service-migration\	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	File opened: D:\sources\replacementmanifests\hwvid-migration-2\	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2049441 - Severity 1 - ET MALWARE Win32/Unknown Grabber Base64 Data Exfiltration Attempt : 192.168.2.4:49730 -> 109.107.181.162:15666
Source: Network traffic	Suricata IDS: 2050806 - Severity 1 - ET MALWARE [ANY.RUN] Meduza Stealer Exfiltration M2 : 192.168.2.4:49730 -> 109.107.181.162:15666

Uses ping.exe to check the status of other devices and networks

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\PING.EXE ping 1.1.1.1 -n 1 -w 3000

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.4:49730 -> 109.107.181.162:15666

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1Accept: text/html; text/plain; */*Host: api.ipify.orgCache-Control: no-cache

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 109.107.181.162 109.107.181.162
Source: Joe Sandbox View	IP Address: 104.26.13.205 104.26.13.205
Source: Joe Sandbox View	IP Address: 104.26.13.205 104.26.13.205

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: TELEPORT-TV-ASRU TELEPORT-TV-ASRU

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

May check the online IP address of the machine

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Suricata IDS alerts with low severity for network traffic

Source: Network traffic

Suricata IDS: 2050807 - Severity 1 - ET MALWARE [ANY.RUN] Possible Meduza Stealer Exfiltration (TCP) : 192.168.2.4:49730 -> 109.107.181.162:15666

Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162

Source: C:\Users\user\Desktop\unturnedHack.exe

1_2_0000000140082890

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1Accept: text/html; text/plain; */*Host: api.ipify.orgCache-Control: no-cache

Source: global traffic

DNS traffic detected: DNS query: api.ipify.org

Source: unturnedHack.exe, 00000001.00000003.1695750238.000002A22FF41000.00000004.00000020.00020000.00000000.sdmp, unturnedHack.exe, 00000001.00000003.1942978080.000002A22FF54000.00000004.00000020.00020000.00000000.sdmp, unturnedHack.exe, 00000001.00000003.1942952611.000002A22FF50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ns.microsoft.t/Regi
Source: unturnedHack.exe, 00000001.00000003.1697272919.000002A230697000.00000004.00000020.00020000.00000000.sdmp, unturnedHack.exe, 00000001.00000003.1697076524.000002A22DD0B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: unturnedHack.exe, 00000001.00000002.1943610876.000002A22DC87000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: unturnedHack.exe, 00000001.00000003.1706023274.000002A22F9A4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
Source: unturnedHack.exe, 00000001.00000003.1706043718.000002A22DD0A000.00000004.00000020.00020000.00000000.sdmp, unturnedHack.exe, 00000001.00000003.1706023274.000002A22F9A4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
Source: unturnedHack.exe, 00000001.00000003.1697272919.000002A230697000.00000004.00000020.00020000.00000000.sdmp, unturnedHack.exe, 00000001.00000003.1697076524.000002A22DD0B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: unturnedHack.exe, 00000001.00000003.1697272919.000002A230697000.00000004.00000020.00020000.00000000.sdmp, unturnedHack.exe, 00000001.00000003.1697076524.000002A22DD0B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: unturnedHack.exe, 00000001.00000003.1697272919.000002A230697000.00000004.00000020.00020000.00000000.sdmp, unturnedHack.exe, 00000001.00000003.1697076524.000002A22DD0B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: unturnedHack.exe, 00000001.00000003.1706023274.000002A22F9A4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
Source: unturnedHack.exe, 00000001.00000003.1706043718.000002A22DD0A000.00000004.00000020.00020000.00000000.sdmp, unturnedHack.exe, 00000001.00000003.1706023274.000002A22F9A4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: unturnedHack.exe, 00000001.00000003.1697272919.000002A230697000.00000004.00000020.00020000.00000000.sdmp, unturnedHack.exe, 00000001.00000003.1697076524.000002A22DD0B000.00000004.00000020.00020000.00000000.sdmp, unturnedHack.exe, 00000001.00000003.1696833003.000002A23067E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: unturnedHack.exe, 00000001.00000003.1697272919.000002A230697000.00000004.00000020.00020000.00000000.sdmp, unturnedHack.exe, 00000001.00000003.1697076524.000002A22DD0B000.00000004.00000020.00020000.00000000.sdmp, unturnedHack.exe, 00000001.00000003.1696833003.000002A23067E000.00000004.00000020.00020000.00000000.sdmp, unturnedHack.exe, 00000001.00000003.1697272919.000002A23067F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: unturnedHack.exe, 00000001.00000003.1697272919.000002A230697000.00000004.00000020.00020000.00000000.sdmp, unturnedHack.exe, 00000001.00000003.1697076524.000002A22DD0B000.00000004.00000020.00020000.00000000.sdmp, unturnedHack.exe, 00000001.00000003.1696833003.000002A23067E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: unturnedHack.exe, 00000001.00000003.1706023274.000002A22F9A4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
Source: unturnedHack.exe, 00000001.00000003.1705344411.000002A230798000.00000004.00000020.00020000.00000000.sdmp, unturnedHack.exe, 00000001.00000003.1702320125.000002A230976000.00000004.00000020.00020000.00000000.sdmp, unturnedHack.exe, 00000001.00000003.1705533318.000002A2306C4000.00000004.00000020.00020000.00000000.sdmp, unturnedHack.exe, 00000001.00000003.1700589020.000002A22FB8B000.00000004.00000020.00020000.00000000.sdmp, unturnedHack.exe, 00000001.00000003.1700589020.000002A22FB83000.00000004.00000020.00020000.00000000.sdmp, unturnedHack.exe, 00000001.00000003.1700589020.000002A22FB0C000.00000004.00000020.00020000.00000000.sdmp, unturnedHack.exe, 00000001.00000003.1700589020.000002A22FB04000.00000004.00000020.00020000.00000000.sdmp, unturnedHack.exe, 00000001.00000003.1700589020.000002A22FAB8000.00000004.00000020.00020000.00000000.sdmp, unturnedHack.exe, 00000001.00000003.1705344411.000002A230790000.00000004.00000020.00020000.00000000.sdmp, unturnedHack.exe, 00000001.00000003.1705452295.000002A230750000.00000004.00000020.00020000.00000000.sdmp, unturnedHack.exe, 00000001.00000003.1705533318.000002A2306BC000.00000004.00000020.00020000.00000000.sdmp, unturnedHack.exe, 00000001.00000003.1700589020.000002A22FAB0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org
Source: unturnedHack.exe, 00000001.00000003.1700589020.000002A22FB93000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: unturnedHack.exe, 00000001.00000003.1700589020.000002A22FB93000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
Source: unturnedHack.exe, 00000001.00000003.1697819366.000002A23067D000.00000004.00000020.00020000.00000000.sdmp, unturnedHack.exe, 00000001.00000003.1697955109.000002A22DD0A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: unturnedHack.exe, 00000001.00000003.1697819366.000002A23067D000.00000004.00000020.00020000.00000000.sdmp, unturnedHack.exe, 00000001.00000003.1697638188.000002A230695000.00000004.00000020.00020000.00000000.sdmp, unturnedHack.exe, 00000001.00000003.1697942439.000002A22F9A3000.00000004.00000020.00020000.00000000.sdmp, unturnedHack.exe, 00000001.00000003.1697819366.000002A230659000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: unturnedHack.exe, 00000001.00000003.1697819366.000002A23067D000.00000004.00000020.00020000.00000000.sdmp, unturnedHack.exe, 00000001.00000003.1697955109.000002A22DD0A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: unturnedHack.exe, 00000001.00000003.1697819366.000002A23067D000.00000004.00000020.00020000.00000000.sdmp, unturnedHack.exe, 00000001.00000003.1697638188.000002A230695000.00000004.00000020.00020000.00000000.sdmp, unturnedHack.exe, 00000001.00000003.1697942439.000002A22F9A3000.00000004.00000020.00020000.00000000.sdmp, unturnedHack.exe, 00000001.00000003.1697819366.000002A230659000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: unturnedHack.exe, 00000001.00000003.1706043718.000002A22DD0A000.00000004.00000020.00020000.00000000.sdmp, unturnedHack.exe, 00000001.00000003.1706023274.000002A22F9A4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94
Source: unturnedHack.exe, 00000001.00000003.1697272919.000002A230697000.00000004.00000020.00020000.00000000.sdmp, unturnedHack.exe, 00000001.00000003.1697076524.000002A22DD0B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: unturnedHack.exe, 00000001.00000003.1706043718.000002A22DD0A000.00000004.00000020.00020000.00000000.sdmp, unturnedHack.exe, 00000001.00000003.1706023274.000002A22F9A4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
Source: unturnedHack.exe, 00000001.00000003.1697272919.000002A230697000.00000004.00000020.00020000.00000000.sdmp, unturnedHack.exe, 00000001.00000003.1697076524.000002A22DD0B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: unturnedHack.exe, 00000001.00000003.1705344411.000002A230798000.00000004.00000020.00020000.00000000.sdmp, unturnedHack.exe, 00000001.00000003.1702320125.000002A230976000.00000004.00000020.00020000.00000000.sdmp, unturnedHack.exe, 00000001.00000003.1705533318.000002A2306C4000.00000004.00000020.00020000.00000000.sdmp, unturnedHack.exe, 00000001.00000003.1700589020.000002A22FB8B000.00000004.00000020.00020000.00000000.sdmp, unturnedHack.exe, 00000001.00000003.1700589020.000002A22FB83000.00000004.00000020.00020000.00000000.sdmp, unturnedHack.exe, 00000001.00000003.1700589020.000002A22FB0C000.00000004.00000020.00020000.00000000.sdmp, unturnedHack.exe, 00000001.00000003.1700589020.000002A22FB04000.00000004.00000020.00020000.00000000.sdmp, unturnedHack.exe, 00000001.00000003.1700589020.000002A22FAB8000.00000004.00000020.00020000.00000000.sdmp, unturnedHack.exe, 00000001.00000003.1705344411.000002A230790000.00000004.00000020.00020000.00000000.sdmp, unturnedHack.exe, 00000001.00000003.1705452295.000002A230750000.00000004.00000020.00020000.00000000.sdmp, unturnedHack.exe, 00000001.00000003.1705533318.000002A2306BC000.00000004.00000020.00020000.00000000.sdmp, unturnedHack.exe, 00000001.00000003.1700589020.000002A22FAB0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org
Source: unturnedHack.exe, 00000001.00000003.1700589020.000002A22FB93000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: unturnedHack.exe, 00000001.00000003.1700589020.000002A22FB93000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: unturnedHack.exe, 00000001.00000003.1700589020.000002A22FABF000.00000004.00000020.00020000.00000000.sdmp, unturnedHack.exe, 00000001.00000003.1705344411.000002A2307A0000.00000004.00000020.00020000.00000000.sdmp, unturnedHack.exe, 00000001.00000003.1703473243.000002A230DC2000.00000004.00000020.00020000.00000000.sdmp, unturnedHack.exe, 00000001.00000003.1700589020.000002A22FB14000.00000004.00000020.00020000.00000000.sdmp, unturnedHack.exe, 00000001.00000003.1700589020.000002A22FB93000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: unturnedHack.exe, 00000001.00000003.1700589020.000002A22FB93000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: unturnedHack.exe, 00000001.00000003.1700589020.000002A22FABF000.00000004.00000020.00020000.00000000.sdmp, unturnedHack.exe, 00000001.00000003.1705344411.000002A2307A0000.00000004.00000020.00020000.00000000.sdmp, unturnedHack.exe, 00000001.00000003.1703473243.000002A230DC2000.00000004.00000020.00020000.00000000.sdmp, unturnedHack.exe, 00000001.00000003.1700589020.000002A22FB14000.00000004.00000020.00020000.00000000.sdmp, unturnedHack.exe, 00000001.00000003.1700589020.000002A22FB93000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443

Source: unknown

HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.4:49731 version: TLS 1.2

Contains functionality to record screenshots

Source: C:\Users\user\Desktop\unturnedHack.exe

1_2_00000001400831C0

Contains functionality to call native functions

Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_0000000140088390 RtlAcquirePebLock,NtAllocateVirtualMemory,lstrcpyW,lstrcatW,NtAllocateVirtualMemory,lstrcpyW,RtlInitUnicodeString,RtlInitUnicodeString,LdrEnumerateLoadedModules,RtlReleasePebLock,CoInitializeEx,lstrcpyW,lstrcatW,CoGetObject,lstrcpyW,lstrcatW,CoGetObject,CoUninitialize,	1_2_0000000140088390
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_0000000140112728 NtAllocateVirtualMemory,	1_2_0000000140112728
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_0000000140087C90 GetModuleHandleA,GetProcAddress,OpenProcess,NtQuerySystemInformation,NtQuerySystemInformation,GetCurrentProcess,NtQueryObject,GetFinalPathNameByHandleA,CloseHandle,CloseHandle,	1_2_0000000140087C90

Detected potential crypto function

Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_00000001400C2000	1_2_00000001400C2000
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_00000001400C3180	1_2_00000001400C3180
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_00000001400831C0	1_2_00000001400831C0
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_0000000140064200	1_2_0000000140064200
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_000000014003E240	1_2_000000014003E240
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_0000000140032260	1_2_0000000140032260
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_00000001400F2268	1_2_00000001400F2268
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_000000014005D2B0	1_2_000000014005D2B0
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_000000014003F2E0	1_2_000000014003F2E0
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_0000000140045430	1_2_0000000140045430
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_00000001400AA588	1_2_00000001400AA588
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_00000001400EB5E0	1_2_00000001400EB5E0
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_000000014007C5E0	1_2_000000014007C5E0
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_00000001400856A0	1_2_00000001400856A0
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_00000001400796D0	1_2_00000001400796D0
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_000000014003D6E0	1_2_000000014003D6E0
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_00000001400C4890	1_2_00000001400C4890
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_0000000140082890	1_2_0000000140082890
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_000000014003F890	1_2_000000014003F890
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_000000014008C9C0	1_2_000000014008C9C0
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_0000000140034A50	1_2_0000000140034A50
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_0000000140037AA0	1_2_0000000140037AA0
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_0000000140031B70	1_2_0000000140031B70
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_00000001400CDBC0	1_2_00000001400CDBC0
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_0000000140084D10	1_2_0000000140084D10
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_0000000140083EC0	1_2_0000000140083EC0
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_0000000140079F00	1_2_0000000140079F00
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_0000000140008000	1_2_0000000140008000
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_0000000140051070	1_2_0000000140051070
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_000000014008C090	1_2_000000014008C090
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_00000001400730F0	1_2_00000001400730F0
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_0000000140058150	1_2_0000000140058150
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_00000001400701A0	1_2_00000001400701A0
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_000000014006F200	1_2_000000014006F200
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_000000014009F268	1_2_000000014009F268
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_00000001400782D0	1_2_00000001400782D0
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_00000001400592D0	1_2_00000001400592D0
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_00000001400B32E0	1_2_00000001400B32E0
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_0000000140088390	1_2_0000000140088390
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_000000014009F384	1_2_000000014009F384
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_0000000140007460	1_2_0000000140007460
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_00000001400EE4B0	1_2_00000001400EE4B0
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_00000001400CE500	1_2_00000001400CE500
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_000000014006F500	1_2_000000014006F500
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_00000001400C4530	1_2_00000001400C4530
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_00000001400DB540	1_2_00000001400DB540
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_000000014004F570	1_2_000000014004F570
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_00000001400735A6	1_2_00000001400735A6
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_000000014003A5AD	1_2_000000014003A5AD
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_00000001400675D0	1_2_00000001400675D0
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_000000014005C6B0	1_2_000000014005C6B0
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_00000001400296B0	1_2_00000001400296B0
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_00000001400886E0	1_2_00000001400886E0
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_0000000140075760	1_2_0000000140075760
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_000000014009D7E0	1_2_000000014009D7E0
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_00000001400277F0	1_2_00000001400277F0
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_0000000140026800	1_2_0000000140026800
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_000000014009B810	1_2_000000014009B810
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_000000014006B810	1_2_000000014006B810
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_00000001400AA804	1_2_00000001400AA804
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_00000001400DA820	1_2_00000001400DA820
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_000000014006F830	1_2_000000014006F830
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_00000001400DA840	1_2_00000001400DA840
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_0000000140032890	1_2_0000000140032890
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_000000014007B8B0	1_2_000000014007B8B0
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_00000001400078F0	1_2_00000001400078F0
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_00000001400949B4	1_2_00000001400949B4
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_00000001400799C3	1_2_00000001400799C3
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_00000001400C89E0	1_2_00000001400C89E0
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_0000000140098ABC	1_2_0000000140098ABC
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_00000001400A8B08	1_2_00000001400A8B08
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_00000001400CFB20	1_2_00000001400CFB20
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_000000014006FB50	1_2_000000014006FB50
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_0000000140038B60	1_2_0000000140038B60
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_00000001400CAB70	1_2_00000001400CAB70
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_0000000140083BA0	1_2_0000000140083BA0
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_00000001400C1BC0	1_2_00000001400C1BC0
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_00000001400F1BCC	1_2_00000001400F1BCC
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_00000001400C6C00	1_2_00000001400C6C00
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_00000001400CBC80	1_2_00000001400CBC80
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_0000000140032C90	1_2_0000000140032C90
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_0000000140072CB0	1_2_0000000140072CB0
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_0000000140098CC0	1_2_0000000140098CC0
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_00000001400A1CB8	1_2_00000001400A1CB8
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_000000014004DDA0	1_2_000000014004DDA0
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_0000000140005DC0	1_2_0000000140005DC0
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_0000000140096DF0	1_2_0000000140096DF0
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_00000001400AADF4	1_2_00000001400AADF4
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_00000001400ABE30	1_2_00000001400ABE30
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_000000014006FE70	1_2_000000014006FE70
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_0000000140050E80	1_2_0000000140050E80
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_0000000140094EC0	1_2_0000000140094EC0
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_0000000140098EC4	1_2_0000000140098EC4
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_0000000140071F40	1_2_0000000140071F40
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_0000000140052F80	1_2_0000000140052F80

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: String function: 000000014002E1B0 appears 32 times
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: String function: 0000000140030910 appears 31 times

PE file contains more sections than normal

Source: unturnedHack.exe

Static PE information: Number of sections : 11 > 10

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@8/1@1/2

Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_0000000140089910 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,		1_2_0000000140089910
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_0000000140112008 AdjustTokenPrivileges,CredEnumerateA,		1_2_0000000140112008

Source: C:\Users\user\Desktop\unturnedHack.exe

Code function: 1_2_000000014003F2E0 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

1_2_000000014003F2E0

Source: C:\Users\user\Desktop\unturnedHack.exe

Code function: 1_2_000000014007209A CoCreateInstance,

1_2_000000014007209A

Source: C:\Users\user\Desktop\unturnedHack.exe	Mutant created: \Sessions\1\BaseNamedObjects\Mmm-A33C734061CA11EE8C18806E6F6E6963F7A8ECA9
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2800:120:WilError_03

Source: unturnedHack.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\unturnedHack.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\unturnedHack.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\unturnedHack.exe "C:\Users\user\Desktop\unturnedHack.exe"
Source: C:\Users\user\Desktop\unturnedHack.exe	Process created: C:\Users\user\Desktop\unturnedHack.exe "C:\Users\user\Desktop\unturnedHack.exe"
Source: C:\Users\user\Desktop\unturnedHack.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\user\Desktop\unturnedHack.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping 1.1.1.1 -n 1 -w 3000
Source: C:\Users\user\Desktop\unturnedHack.exe	Process created: C:\Users\user\Desktop\unturnedHack.exe "C:\Users\user\Desktop\unturnedHack.exe"	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\user\Desktop\unturnedHack.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping 1.1.1.1 -n 1 -w 3000	Jump to behavior

Source: C:\Users\user\Desktop\unturnedHack.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	Section loaded: drprov.dll	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	Section loaded: ntlanman.dll	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	Section loaded: davclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	Section loaded: davhlpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: mswsock.dll	Jump to behavior

Source: C:\Users\user\Desktop\unturnedHack.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\unturnedHack.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: unturnedHack.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: unturnedHack.exe

Static file information: File size 4269056 > 1048576

Source: unturnedHack.exe

Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x38c000

Source: unturnedHack.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: unturnedHack.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: unturnedHack.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: unturnedHack.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: unturnedHack.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: unturnedHack.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\unturnedHack.exe

Code function: 1_2_000000014003E240 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,

1_2_000000014003E240

PE file contains sections with non-standard names

Source: unturnedHack.exe	Static PE information: section name: .00cfg
Source: unturnedHack.exe	Static PE information: section name: .gxfg
Source: unturnedHack.exe	Static PE information: section name: .retplne
Source: unturnedHack.exe	Static PE information: section name: _RDATA

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\unturnedHack.exe

Code function: 1_2_000000014006B0F9 push rcx; iretd

1_2_000000014006B0FC

Terminates after testing mutex exists (may check infected machine status)

Source: C:\Users\user\Desktop\unturnedHack.exe

Code function: 1_2_00000001400796D0 ExitProcess,OpenMutexA,ExitProcess,CreateMutexA,CreateMutexExA,ExitProcess,ReleaseMutex,CloseHandle,

1_2_00000001400796D0

Hooking and other Techniques for Hiding and Protection

Self deletion via cmd or bat file

Source: C:\Users\user\Desktop\unturnedHack.exe	Process created: "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\user\Desktop\unturnedHack.exe"
Source: C:\Users\user\Desktop\unturnedHack.exe	Process created: "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\user\Desktop\unturnedHack.exe"			Jump to behavior

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Desktop\unturnedHack.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\unturnedHack.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Uses ping.exe to sleep

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping 1.1.1.1 -n 1 -w 3000
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping 1.1.1.1 -n 1 -w 3000			Jump to behavior

Found evasive API chain checking for process token information

Source: C:\Users\user\Desktop\unturnedHack.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_00000001400EB530 FindClose,FindFirstFileExW,GetLastError,	1_2_00000001400EB530
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_00000001400EB5E0 GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,__std_fs_open_handle,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,CloseHandle,CloseHandle,	1_2_00000001400EB5E0
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_0000000140037AA0 FindFirstFileW,FindNextFileW,	1_2_0000000140037AA0

Source: C:\Users\user\Desktop\unturnedHack.exe

Code function: 1_2_0000000140084A60 GetLogicalDriveStringsW,

1_2_0000000140084A60

Source: C:\Users\user\Desktop\unturnedHack.exe

Code function: 1_2_00000001400C83D0 GetSystemInfo,LoadLibraryA,GetProcAddress,GetCurrentProcess,VirtualAlloc2,

1_2_00000001400C83D0

Source: C:\Users\user\Desktop\unturnedHack.exe	File opened: D:\sources\migration\	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	File opened: D:\sources\replacementmanifests\	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	File opened: D:\sources\migration\wtr\	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	File opened: D:\sources\replacementmanifests\microsoft-activedirectory-webservices\	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	File opened: D:\sources\replacementmanifests\microsoft-client-license-platform-service-migration\	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	File opened: D:\sources\replacementmanifests\hwvid-migration-2\	Jump to behavior

Source: unturnedHack.exe	Binary or memory string: VBoxGuest
Source: unturnedHack.exe	Binary or memory string: VBoxMouse
Source: unturnedHack.exe	Binary or memory string: VBoxTray
Source: unturnedHack.exe	Binary or memory string: VBoxMRXNP
Source: unturnedHack.exe, 00000001.00000002.1943610876.000002A22DCCF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: unturnedHack.exe, 00000001.00000003.1696203175.000002A22DCFA000.00000004.00000020.00020000.00000000.sdmp, unturnedHack.exe, 00000001.00000002.1943610876.000002A22DC87000.00000004.00000020.00020000.00000000.sdmp, unturnedHack.exe, 00000001.00000002.1943610876.000002A22DCF7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: unturnedHack.exe	Binary or memory string: VBoxHook
Source: unturnedHack.exe	Binary or memory string: VBoxSF

Source: C:\Users\user\Desktop\unturnedHack.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\unturnedHack.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\unturnedHack.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\unturnedHack.exe

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\unturnedHack.exe

1_2_0000000140088390

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\unturnedHack.exe

Code function: 1_2_0000000140112300 IsDebuggerPresent,

1_2_0000000140112300

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Users\user\Desktop\unturnedHack.exe

Code function: 1_2_00000001400EDBBC GetLastError,IsDebuggerPresent,OutputDebugStringW,

1_2_00000001400EDBBC

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\unturnedHack.exe

Code function: 1_2_000000014003E240 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,

1_2_000000014003E240

Enables debug privileges

Source: C:\Users\user\Desktop\unturnedHack.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_0000000140112310 SetUnhandledExceptionFilter,		1_2_0000000140112310
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: 1_2_00000001400938D8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		1_2_00000001400938D8

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\unturnedHack.exe

Memory written: C:\Users\user\Desktop\unturnedHack.exe base: 140000000 value starts with: 4D5A

Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\Desktop\unturnedHack.exe

Thread register set: target process: 6668

Jump to behavior

Contains functionality to launch a program with higher privileges

Source: C:\Users\user\Desktop\unturnedHack.exe

Code function: 1_2_00000001400782D0 ShellExecuteW,

1_2_00000001400782D0

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\unturnedHack.exe	Process created: C:\Users\user\Desktop\unturnedHack.exe "C:\Users\user\Desktop\unturnedHack.exe"	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\user\Desktop\unturnedHack.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping 1.1.1.1 -n 1 -w 3000	Jump to behavior

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: GetLocaleInfoEx,FormatMessageA,	1_2_00000001400EB1A0
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW,	1_2_00000001400B0350
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: GetLocaleInfoW,	1_2_00000001401123D0
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: GetLocaleInfoW,	1_2_00000001400A5418
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: EnumSystemLocalesW,	1_2_00000001400B06AC
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: EnumSystemLocalesW,	1_2_00000001400B077C
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	1_2_00000001400B0BB4
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	1_2_00000001400B0D98
Source: C:\Users\user\Desktop\unturnedHack.exe	Code function: EnumSystemLocalesW,	1_2_00000001400A4ED8

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\unturnedHack.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Queries time zone information

Source: C:\Users\user\Desktop\unturnedHack.exe

Key value queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\TimeZoneInformation TimeZoneKeyName

Jump to behavior

Source: C:\Users\user\Desktop\unturnedHack.exe

Code function: 0_2_00007FF6C0A0FDE4 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF6C0A0FDE4

Source: C:\Users\user\Desktop\unturnedHack.exe

Code function: 1_2_00000001400837A0 GetUserNameW,

1_2_00000001400837A0

Source: C:\Users\user\Desktop\unturnedHack.exe

Code function: 1_2_00000001400AA588 _get_daylight,_get_daylight,_get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,

1_2_00000001400AA588

Stealing of Sensitive Information

Yara detected CredGrabber

Source: Yara match

File source: Process Memory Space: unturnedHack.exe PID: 6668, type: MEMORYSTR

Yara detected Meduza Stealer

Source: Yara match	File source: 1.2.unturnedHack.exe.140000000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.unturnedHack.exe.140000000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.1943610876.000002A22DC87000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1943060514.0000000140000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: unturnedHack.exe PID: 6668, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: unturnedHack.exe, 00000001.00000002.1943610876.000002A22DC87000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Electrum\wallets
Source: unturnedHack.exe, 00000001.00000002.1943610876.000002A22DC87000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ElectronCash\config
Source: unturnedHack.exe, 00000001.00000002.1943610876.000002A22DCCF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: KHg2NCkgWzIzLjAxXQpNb3ppbGxhIEZpcmVmb3ggKHg2NCBlbi1VUykgWzExOC4wLjFdCk1vemlsbGEgTWFpbnRlbmFuY2UgU2VydmljZSBbMTE4LjAuMV0KTWljcm9zb2Z0IE9mZmljZSBQcm9mZXNzaW9uYWwgUGx1cyAyMDE5IC0gZW4tdXMgWzE2LjAuMTY4MjcuMjAxMzBdCk1pY3Jvc29mdCBWaXN1YWwgQysrIDIwMjIgWDY0IEFkZGl0aW9uYWwgUnVudGltZSAtIDE0LjM2LjMyNTMyIFsxNC4zNi4zMjUzMl0KT2ZmaWNlIDE2IENsaWNrLXRvLVJ1biBMaWNlbnNpbmcgQ29tcG9uZW50IFsxNi4wLjE2ODI3LjIwMTMwXQpPZmZpY2UgMTYgQ2xpY2stdG8tUnVuIEV4dGVuc2liaWxpdHkgQ29tcG9uZW50IDY0LWJpdCBSZWdpc3RyYXRpb24gWzE2LjAuMTY4MjcuMjAwNTZdCkFkb2JlIEFjcm9iYXQgKDY0LWJpdCkgWzIzLjAwNi4yMDMyMF0KTWljcm9zb2Z0IFZpc3VhbCBDKysgMjAyMiBYNjQgTWluaW11bSBSdW50aW1lIC0gMTQuMzYuMzI1MzIgWzE0LjM2LjMyNTMyXQpHb29nbGUgQ2hyb21lIFsxMTcuMC41OTM4LjEzMl0KTWljcm9zb2Z0IEVkZ2UgWzExNy4wLjIwNDUuNDddCk1pY3Jvc29mdCBFZGdlIFVwZGF0ZSBbMS4zLjE3Ny4xMV0KTWljcm9zb2Z0IEVkZ2UgV2ViVmlldzIgUnVudGltZSBbMTE3LjAuMjA0NS40N10KSmF2YSBBdXRvIFVwZGF0ZXIgWzIuOC4zODEuOV0KSmF2YSA4IFVwZGF0ZSAzODEgWzguMC4zODEwLjldCk1pY3Jvc29mdCBWaXN1YWwgQysrIDIwMTUtMjAyMiBSZWRpc3RyaWJ1dGFibGUgKHg2NCkgLSAxNC4zNi4zMjUzMiBbMTQuMzYuMzI1MzIuMF0KT2ZmaWNlIDE2IENsaWNrLXRvLVJ1biBFeHRlbnNpYmlsaXR5IENvbXBvbmVudCBbMTYuMC4xNjgyNy4yMDEzMF0K
Source: unturnedHack.exe, 00000001.00000002.1943610876.000002A22DC87000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Exodus\exodus.wallet
Source: unturnedHack.exe, 00000001.00000002.1943610876.000002A22DC87000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Ethereum\keystore
Source: unturnedHack.exe, 00000001.00000002.1943610876.000002A22DC87000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Ethereum\keystore

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Users\user\Desktop\unturnedHack.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\unturnedHack.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG.old	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOCK	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\MANIFEST-000001	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\unturnedHack.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\unturnedHack.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Remote Access Functionality

Yara detected CredGrabber

Source: Yara match

File source: Process Memory Space: unturnedHack.exe PID: 6668, type: MEMORYSTR

Yara detected Meduza Stealer

Source: Yara match	File source: 1.2.unturnedHack.exe.140000000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.unturnedHack.exe.140000000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.1943610876.000002A22DC87000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1943060514.0000000140000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: unturnedHack.exe PID: 6668, type: MEMORYSTR

ID:	1561488
Product:	CloudBasic
Start time:	14:56:07
Start date:	23.11.2024
Sample:	unturnedHack.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	c5293ff604e4231fdffaa092fd7c5ca8
SHA1:	9e8aeb9ec19b8a6d534360883188872a257bb337
SHA256:	4531a1efd815df17d3a6f247d0850ab5e510de2345723e41c062716e65df686e
Filetype:	Win64 Executable GUI (202006/5) 92.65%

Windows Analysis Report
unturnedHack.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report unturnedHack.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
unturnedHack.exe