Windows Analysis Report
https://cgigroup.blob.core.windows.net/cgi-protective-monitoring-service/tools/get-stinger.html

Overview

General Information

Sample URL:	https://cgigroup.blob.core.windows.net/cgi-protective-monitoring-service/tools/get-stinger.html
Analysis ID:	1432276
Infos:

Detection

Score:	52
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Snort IDS alert for network traffic

Blob-based file download detected

Contains functionality to call native functions

Contains functionality to communicate with device drivers

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Found potential string decryption / allocating functions

Queries the volume information (name, serial number etc) of a device

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Downloads\McAfeeStinger.exe	Code function: 11_2_00007FF6ACC36D60 BCryptGenRandom,	11_2_00007FF6ACC36D60
Source: C:\Users\user\Downloads\McAfeeStinger.exe	Code function: 11_2_00007FF6ACBD9DC6 EncryptMessage,	11_2_00007FF6ACBD9DC6
Source: C:\Users\user\Downloads\McAfeeStinger.exe	Code function: 11_2_00007FF6ACBDA278 EncryptMessage,	11_2_00007FF6ACBDA278
Source: C:\Users\user\Downloads\McAfeeStinger.exe	Code function: 11_2_00007FF6ACBDC38E DecryptMessage,	11_2_00007FF6ACBDC38E
Source: C:\Users\user\Downloads\McAfeeStinger.exe	Code function: 11_2_00007FF6ACB8D99A BCryptGenRandom,SystemFunction036,BCryptGenRandom,	11_2_00007FF6ACB8D99A
Source: C:\Users\user\Downloads\McAfeeStinger.exe	Code function: 11_2_00007FF6ACBDB299 FreeContextBuffer,DecryptMessage,	11_2_00007FF6ACBDB299
Source: C:\Users\user\Downloads\McAfeeStinger.exe	Code function: 11_2_00007FF6ACC2F480 BCryptGenRandom,GetCurrentProcessId,BCryptGenRandom,CreateNamedPipeW,GetLastError,BCryptGenRandom,BCryptGenRandom,CloseHandle,	11_2_00007FF6ACC2F480

Source: https://cgigroup.blob.core.windows.net/cgi-protective-monitoring-service/tools/get-stinger.html	HTTP Parser: No favicon
Source: https://cgigroup.blob.core.windows.net/cgi-protective-monitoring-service/tools/get-stinger.html	HTTP Parser: No favicon

Source:	Binary string: d45bc07722646519ed8e2be5e9bd2f9e scmdat.pdb source: avvdat.ini.12.dr
Source:	Binary string: FileName=scmdat.pdb source: avvdat.ini.12.dr

Source: C:\Users\user\Downloads\McAfeeStinger.exe

Code function: 11_2_00007FF6ACC24930 memset,FindFirstFileW,FindClose,FindCloseChangeNotification,

11_2_00007FF6ACC24930

Networking

Snort IDS alert for network traffic

Source: Traffic

Snort IDS: 2018856 ET TROJAN Windows executable base64 encoded 52.239.247.100:443 -> 192.168.11.20:61410

Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.227.46
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.227.46
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.227.46
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.227.46
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.227.46
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.227.46
Source: unknown	UDP traffic detected without corresponding DNS query: 239.255.255.250
Source: unknown	UDP traffic detected without corresponding DNS query: 239.255.255.250
Source: unknown	UDP traffic detected without corresponding DNS query: 239.255.255.250
Source: unknown	UDP traffic detected without corresponding DNS query: 239.255.255.250
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Downloads\McAfeeStinger.exe

Code function: 11_2_00007FF6ACC3A124 recv,WSAGetLastError,

11_2_00007FF6ACC3A124

Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: www.mcafee.com
Source: global traffic	DNS traffic detected: DNS query: download.nai.com
Source: global traffic	DNS traffic detected: DNS query: downloadcenter.trellix.com

Source: global traffic	TCP traffic: 192.168.11.20:58553 -> 239.255.255.250:1900
Source: global traffic	TCP traffic: 192.168.11.20:58553 -> 239.255.255.250:1900
Source: global traffic	TCP traffic: 192.168.11.20:58553 -> 239.255.255.250:1900
Source: global traffic	TCP traffic: 192.168.11.20:58553 -> 239.255.255.250:1900

Source: McAfeeStinger.exe, 0000000B.00000003.16251601434.00000297140D8000.00000004.00000020.00020000.00000000.sdmp, McAfeeStinger.exe, 0000000B.00000002.16253412965.00000297140D8000.00000004.00000020.00020000.00000000.sdmp, McAfeeStinger.exe, 0000000C.00000002.16336001123.0000017CF0154000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: McAfeeStinger.exe, 0000000B.00000003.16251601434.00000297140D8000.00000004.00000020.00020000.00000000.sdmp, McAfeeStinger.exe, 0000000B.00000002.16253412965.00000297140D8000.00000004.00000020.00020000.00000000.sdmp, McAfeeStinger.exe, 0000000C.00000002.16336001123.0000017CF0154000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: McAfeeStinger.exe, 0000000B.00000003.16251601434.00000297140D8000.00000004.00000020.00020000.00000000.sdmp, McAfeeStinger.exe, 0000000B.00000002.16253412965.00000297140D8000.00000004.00000020.00020000.00000000.sdmp, McAfeeStinger.exe, 0000000B.00000002.16253412965.000002971406D000.00000004.00000020.00020000.00000000.sdmp, McAfeeStinger.exe, 0000000C.00000002.16336001123.0000017CF00FB000.00000004.00000020.00020000.00000000.sdmp, McAfeeStinger.exe, 0000000C.00000002.16336001123.0000017CF0154000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadis.bm0
Source: McAfeeStinger.exe, 0000000B.00000000.16243909873.00007FF6ACC4F000.00000002.00000001.01000000.00000006.sdmp, McAfeeStinger.exe, 0000000B.00000002.16254373691.00007FF6ACC4F000.00000002.00000001.01000000.00000006.sdmp, McAfeeStinger.exe, 0000000C.00000002.16346981265.00007FF6ACC4F000.00000002.00000001.01000000.00000006.sdmp, McAfeeStinger.exe, 0000000C.00000000.16252299512.00007FF6ACC4F000.00000002.00000001.01000000.00000006.sdmp, bedb9404-1434-4489-b3f3-9a06b7c9028e.tmp.0.dr	String found in binary or memory: https://docs.rs/getrandom#nodejs-es-module-supportC:
Source: bedb9404-1434-4489-b3f3-9a06b7c9028e.tmp.0.dr	String found in binary or memory: https://download.nai.com/products/commonupdater/avvdat.ini
Source: bedb9404-1434-4489-b3f3-9a06b7c9028e.tmp.0.dr	String found in binary or memory: https://downloadcenter.trellix.com/products/mcafee-avert/Stinger/stinger64.exe
Source: McAfeeStinger.exe, 0000000C.00000002.16336001123.0000017CF00E6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://downloadcenter.trellix.com/products/mcafee-avert/Stinger/stinger64.exei
Source: McAfeeStinger.exe, 0000000B.00000003.16251601434.00000297140D8000.00000004.00000020.00020000.00000000.sdmp, McAfeeStinger.exe, 0000000B.00000002.16253412965.00000297140D8000.00000004.00000020.00020000.00000000.sdmp, McAfeeStinger.exe, 0000000B.00000002.16253412965.000002971406D000.00000004.00000020.00020000.00000000.sdmp, McAfeeStinger.exe, 0000000C.00000002.16336001123.0000017CF00FB000.00000004.00000020.00020000.00000000.sdmp, McAfeeStinger.exe, 0000000C.00000002.16336001123.0000017CF0154000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: McAfeeStinger.exe, 0000000B.00000003.16251429129.0000029714117000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pam.mcafee.com
Source: McAfeeStinger.exe, 0000000B.00000002.16253412965.000002971409C000.00000004.00000020.00020000.00000000.sdmp, McAfeeStinger.exe, 0000000B.00000002.16253412965.00000297140C4000.00000004.00000020.00020000.00000000.sdmp, McAfeeStinger.exe, 0000000B.00000003.16251601434.00000297140C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mcafee.com/favicon.ico
Source: McAfeeStinger.exe, 0000000B.00000002.16253412965.000002971409C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mcafee.com/favicon.ico3
Source: McAfeeStinger.exe, 0000000B.00000002.16253412965.000002971409C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mcafee.com/favicon.ico32
Source: McAfeeStinger.exe, 0000000B.00000002.16253412965.000002971409C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mcafee.com/favicon.icoB_;
Source: bedb9404-1434-4489-b3f3-9a06b7c9028e.tmp.0.dr	String found in binary or memory: https://www.mcafee.com/favicon.icositexml

Source: unknown	Network traffic detected: HTTP traffic on port 55989 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61204 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55989
Source: unknown	Network traffic detected: HTTP traffic on port 58042 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61204
Source: unknown	Network traffic detected: HTTP traffic on port 56351 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58042
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56351

System Summary

Blob-based file download detected

Source: C:\Users\user\Downloads\McAfeeStinger.exe

File download: blob:https://cgigroup.blob.core.windows.net/f15c1ee9-9ccd-46e1-a333-e8a31d16a077

Contains functionality to call native functions

Source: C:\Users\user\Downloads\McAfeeStinger.exe	Code function: 11_2_00007FF6ACBBEB35 NtDeviceIoControlFile,RtlNtStatusToDosError,	11_2_00007FF6ACBBEB35
Source: C:\Users\user\Downloads\McAfeeStinger.exe	Code function: 11_2_00007FF6ACC1BEF0 NtWriteFile,WaitForSingleObject,RtlNtStatusToDosError,	11_2_00007FF6ACC1BEF0
Source: C:\Users\user\Downloads\McAfeeStinger.exe	Code function: 11_2_00007FF6ACBBF264 NtCreateFile,RtlNtStatusToDosError,CreateIoCompletionPort,SetFileCompletionNotificationModes,GetLastError,CloseHandle,	11_2_00007FF6ACBBF264
Source: C:\Users\user\Downloads\McAfeeStinger.exe	Code function: 11_2_00007FF6ACBBE77D NtCancelIoFileEx,RtlNtStatusToDosError,	11_2_00007FF6ACBBE77D
Source: C:\Users\user\Downloads\McAfeeStinger.exe	Code function: 11_2_00007FF6ACC22390 NtReadFile,WaitForSingleObject,RtlNtStatusToDosError,	11_2_00007FF6ACC22390

Contains functionality to communicate with device drivers

Source: C:\Users\user\Downloads\McAfeeStinger.exe

Code function: 11_2_00007FF6ACBBEB35: NtDeviceIoControlFile,RtlNtStatusToDosError,

11_2_00007FF6ACBBEB35

Detected potential crypto function

Source: C:\Users\user\Downloads\McAfeeStinger.exe	Code function: 11_2_00007FF6ACC3EDD4	11_2_00007FF6ACC3EDD4
Source: C:\Users\user\Downloads\McAfeeStinger.exe	Code function: 11_2_00007FF6ACBB2AA0	11_2_00007FF6ACBB2AA0
Source: C:\Users\user\Downloads\McAfeeStinger.exe	Code function: 11_2_00007FF6ACBBAC44	11_2_00007FF6ACBBAC44
Source: C:\Users\user\Downloads\McAfeeStinger.exe	Code function: 11_2_00007FF6ACC3E5F6	11_2_00007FF6ACC3E5F6
Source: C:\Users\user\Downloads\McAfeeStinger.exe	Code function: 11_2_00007FF6ACBE22D1	11_2_00007FF6ACBE22D1
Source: C:\Users\user\Downloads\McAfeeStinger.exe	Code function: 11_2_00007FF6ACBDE39B	11_2_00007FF6ACBDE39B
Source: C:\Users\user\Downloads\McAfeeStinger.exe	Code function: 11_2_00007FF6ACC3A374	11_2_00007FF6ACC3A374
Source: C:\Users\user\Downloads\McAfeeStinger.exe	Code function: 11_2_00007FF6ACBD24D8	11_2_00007FF6ACBD24D8
Source: C:\Users\user\Downloads\McAfeeStinger.exe	Code function: 11_2_00007FF6ACC37DA9	11_2_00007FF6ACC37DA9
Source: C:\Users\user\Downloads\McAfeeStinger.exe	Code function: 11_2_00007FF6ACBA80DB	11_2_00007FF6ACBA80DB
Source: C:\Users\user\Downloads\McAfeeStinger.exe	Code function: 11_2_00007FF6ACC27B20	11_2_00007FF6ACC27B20
Source: C:\Users\user\Downloads\McAfeeStinger.exe	Code function: 11_2_00007FF6ACC0BA80	11_2_00007FF6ACC0BA80
Source: C:\Users\user\Downloads\McAfeeStinger.exe	Code function: 11_2_00007FF6ACBB1AAA	11_2_00007FF6ACBB1AAA
Source: C:\Users\user\Downloads\McAfeeStinger.exe	Code function: 11_2_00007FF6ACBEDBBE	11_2_00007FF6ACBEDBBE
Source: C:\Users\user\Downloads\McAfeeStinger.exe	Code function: 11_2_00007FF6ACC198DB	11_2_00007FF6ACC198DB
Source: C:\Users\user\Downloads\McAfeeStinger.exe	Code function: 11_2_00007FF6ACC078B1	11_2_00007FF6ACC078B1
Source: C:\Users\user\Downloads\McAfeeStinger.exe	Code function: 11_2_00007FF6ACBC550A	11_2_00007FF6ACBC550A
Source: C:\Users\user\Downloads\McAfeeStinger.exe	Code function: 11_2_00007FF6ACC14E30	11_2_00007FF6ACC14E30
Source: C:\Users\user\Downloads\McAfeeStinger.exe	Code function: 11_2_00007FF6ACC04DA0	11_2_00007FF6ACC04DA0
Source: C:\Users\user\Downloads\McAfeeStinger.exe	Code function: 11_2_00007FF6ACC18DB1	11_2_00007FF6ACC18DB1
Source: C:\Users\user\Downloads\McAfeeStinger.exe	Code function: 11_2_00007FF6ACC42F20	11_2_00007FF6ACC42F20
Source: C:\Users\user\Downloads\McAfeeStinger.exe	Code function: 11_2_00007FF6ACC21000	11_2_00007FF6ACC21000
Source: C:\Users\user\Downloads\McAfeeStinger.exe	Code function: 11_2_00007FF6ACBE8FB9	11_2_00007FF6ACBE8FB9
Source: C:\Users\user\Downloads\McAfeeStinger.exe	Code function: 11_2_00007FF6ACC47054	11_2_00007FF6ACC47054
Source: C:\Users\user\Downloads\McAfeeStinger.exe	Code function: 11_2_00007FF6ACC1EA00	11_2_00007FF6ACC1EA00
Source: C:\Users\user\Downloads\McAfeeStinger.exe	Code function: 11_2_00007FF6ACB82B10	11_2_00007FF6ACB82B10
Source: C:\Users\user\Downloads\McAfeeStinger.exe	Code function: 11_2_00007FF6ACC4AA73	11_2_00007FF6ACC4AA73
Source: C:\Users\user\Downloads\McAfeeStinger.exe	Code function: 11_2_00007FF6ACC12D10	11_2_00007FF6ACC12D10
Source: C:\Users\user\Downloads\McAfeeStinger.exe	Code function: 11_2_00007FF6ACC18CB9	11_2_00007FF6ACC18CB9
Source: C:\Users\user\Downloads\McAfeeStinger.exe	Code function: 11_2_00007FF6ACC32C50	11_2_00007FF6ACC32C50
Source: C:\Users\user\Downloads\McAfeeStinger.exe	Code function: 11_2_00007FF6ACB88630	11_2_00007FF6ACB88630
Source: C:\Users\user\Downloads\McAfeeStinger.exe	Code function: 11_2_00007FF6ACC4A5E0	11_2_00007FF6ACC4A5E0
Source: C:\Users\user\Downloads\McAfeeStinger.exe	Code function: 11_2_00007FF6ACC4C655	11_2_00007FF6ACC4C655
Source: C:\Users\user\Downloads\McAfeeStinger.exe	Code function: 11_2_00007FF6ACBB0666	11_2_00007FF6ACBB0666
Source: C:\Users\user\Downloads\McAfeeStinger.exe	Code function: 11_2_00007FF6ACBF0761	11_2_00007FF6ACBF0761
Source: C:\Users\user\Downloads\McAfeeStinger.exe	Code function: 11_2_00007FF6ACBA6230	11_2_00007FF6ACBA6230
Source: C:\Users\user\Downloads\McAfeeStinger.exe	Code function: 11_2_00007FF6ACC2E310	11_2_00007FF6ACC2E310
Source: C:\Users\user\Downloads\McAfeeStinger.exe	Code function: 11_2_00007FF6ACC4C2EC	11_2_00007FF6ACC4C2EC
Source: C:\Users\user\Downloads\McAfeeStinger.exe	Code function: 11_2_00007FF6ACC2E3E0	11_2_00007FF6ACC2E3E0
Source: C:\Users\user\Downloads\McAfeeStinger.exe	Code function: 11_2_00007FF6ACC224A0	11_2_00007FF6ACC224A0
Source: C:\Users\user\Downloads\McAfeeStinger.exe	Code function: 11_2_00007FF6ACBB3E26	11_2_00007FF6ACBB3E26
Source: C:\Users\user\Downloads\McAfeeStinger.exe	Code function: 11_2_00007FF6ACB99D82	11_2_00007FF6ACB99D82
Source: C:\Users\user\Downloads\McAfeeStinger.exe	Code function: 11_2_00007FF6ACC41D94	11_2_00007FF6ACC41D94
Source: C:\Users\user\Downloads\McAfeeStinger.exe	Code function: 11_2_00007FF6ACBAFD37	11_2_00007FF6ACBAFD37
Source: C:\Users\user\Downloads\McAfeeStinger.exe	Code function: 11_2_00007FF6ACB87D50	11_2_00007FF6ACB87D50
Source: C:\Users\user\Downloads\McAfeeStinger.exe	Code function: 11_2_00007FF6ACBB7EBB	11_2_00007FF6ACBB7EBB
Source: C:\Users\user\Downloads\McAfeeStinger.exe	Code function: 11_2_00007FF6ACBFFFDB	11_2_00007FF6ACBFFFDB
Source: C:\Users\user\Downloads\McAfeeStinger.exe	Code function: 11_2_00007FF6ACC4BF83	11_2_00007FF6ACC4BF83
Source: C:\Users\user\Downloads\McAfeeStinger.exe	Code function: 11_2_00007FF6ACC1E0C0	11_2_00007FF6ACC1E0C0
Source: C:\Users\user\Downloads\McAfeeStinger.exe	Code function: 11_2_00007FF6ACB859A0	11_2_00007FF6ACB859A0
Source: C:\Users\user\Downloads\McAfeeStinger.exe	Code function: 11_2_00007FF6ACC299A3	11_2_00007FF6ACC299A3
Source: C:\Users\user\Downloads\McAfeeStinger.exe	Code function: 11_2_00007FF6ACC43B1E	11_2_00007FF6ACC43B1E
Source: C:\Users\user\Downloads\McAfeeStinger.exe	Code function: 11_2_00007FF6ACC3DB1E	11_2_00007FF6ACC3DB1E
Source: C:\Users\user\Downloads\McAfeeStinger.exe	Code function: 11_2_00007FF6ACC4BC1A	11_2_00007FF6ACC4BC1A
Source: C:\Users\user\Downloads\McAfeeStinger.exe	Code function: 11_2_00007FF6ACC13BC0	11_2_00007FF6ACC13BC0
Source: C:\Users\user\Downloads\McAfeeStinger.exe	Code function: 11_2_00007FF6ACBC1BB5	11_2_00007FF6ACBC1BB5
Source: C:\Users\user\Downloads\McAfeeStinger.exe	Code function: 11_2_00007FF6ACB8BC80	11_2_00007FF6ACB8BC80
Source: C:\Users\user\Downloads\McAfeeStinger.exe	Code function: 11_2_00007FF6ACC4DC83	11_2_00007FF6ACC4DC83
Source: C:\Users\user\Downloads\McAfeeStinger.exe	Code function: 11_2_00007FF6ACBC3622	11_2_00007FF6ACBC3622
Source: C:\Users\user\Downloads\McAfeeStinger.exe	Code function: 11_2_00007FF6ACB836F0	11_2_00007FF6ACB836F0
Source: C:\Users\user\Downloads\McAfeeStinger.exe	Code function: 11_2_00007FF6ACBC17DB	11_2_00007FF6ACBC17DB
Source: C:\Users\user\Downloads\McAfeeStinger.exe	Code function: 11_2_00007FF6ACB83748	11_2_00007FF6ACB83748
Source: C:\Users\user\Downloads\McAfeeStinger.exe	Code function: 11_2_00007FF6ACB81755	11_2_00007FF6ACB81755
Source: C:\Users\user\Downloads\McAfeeStinger.exe	Code function: 11_2_00007FF6ACB9574A	11_2_00007FF6ACB9574A
Source: C:\Users\user\Downloads\McAfeeStinger.exe	Code function: 11_2_00007FF6ACC4D860	11_2_00007FF6ACC4D860
Source: C:\Users\user\Downloads\McAfeeStinger.exe	Code function: 11_2_00007FF6ACC11200	11_2_00007FF6ACC11200
Source: C:\Users\user\Downloads\McAfeeStinger.exe	Code function: 11_2_00007FF6ACC0D2D7	11_2_00007FF6ACC0D2D7
Source: C:\Users\user\Downloads\McAfeeStinger.exe	Code function: 11_2_00007FF6ACBA13F7	11_2_00007FF6ACBA13F7
Source: C:\Users\user\Downloads\McAfeeStinger.exe	Code function: 11_2_00007FF6ACB8B3D0	11_2_00007FF6ACB8B3D0
Source: C:\Users\user\Downloads\McAfeeStinger.exe	Code function: 11_2_00007FF6ACBD73D7	11_2_00007FF6ACBD73D7
Source: C:\Users\user\Downloads\McAfeeStinger.exe	Code function: 11_2_00007FF6ACBA93F3	11_2_00007FF6ACBA93F3
Source: C:\Users\user\Downloads\McAfeeStinger.exe	Code function: 11_2_00007FF6ACC2F480	11_2_00007FF6ACC2F480

Found potential string decryption / allocating functions

Source: C:\Users\user\Downloads\McAfeeStinger.exe	Code function: String function: 00007FF6ACC4A3A0 appears 50 times
Source: C:\Users\user\Downloads\McAfeeStinger.exe	Code function: String function: 00007FF6ACC3B83A appears 36 times
Source: C:\Users\user\Downloads\McAfeeStinger.exe	Code function: String function: 00007FF6ACC4A0C0 appears 188 times
Source: C:\Users\user\Downloads\McAfeeStinger.exe	Code function: String function: 00007FF6ACC48A80 appears 48 times

Source: bedb9404-1434-4489-b3f3-9a06b7c9028e.tmp.0.dr	Binary string: \Device\Afd\Mio
Source: bedb9404-1434-4489-b3f3-9a06b7c9028e.tmp.0.dr	Binary string: Failed to open \Device\Afd\Mio: x

Source: classification engine

Classification label: mal52.win@37/7@6/3

Source: C:\Users\user\Downloads\McAfeeStinger.exe

Code function: 11_2_00007FF6ACBB1AAA LoadImageW,GetLastError,FormatMessageW,LoadImageW,GetModuleHandleW,CreateWindowExW,memset,memset,memcpy,memcpy,memcpy,Shell_NotifyIconW,memcpy,EnumChildWindows,EnumChildWindows,SetWindowSubclass,RtlAddVectoredExceptionHandler,SetThreadStackGuarantee,GetLastError,

11_2_00007FF6ACBB1AAA

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\Downloads\bedb9404-1434-4489-b3f3-9a06b7c9028e.tmp

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1688,16494396912243797666,5406229403683992866,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2008 /prefetch:8
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://cgigroup.blob.core.windows.net/cgi-protective-monitoring-service/tools/get-stinger.html"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1688,16494396912243797666,5406229403683992866,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6108 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1688,16494396912243797666,5406229403683992866,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3884 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1688,16494396912243797666,5406229403683992866,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3784 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1688,16494396912243797666,5406229403683992866,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4080 /prefetch:8
Source: unknown	Process created: C:\Users\user\Downloads\McAfeeStinger.exe "C:\Users\user\Downloads\McAfeeStinger.exe"
Source: C:\Users\user\Downloads\McAfeeStinger.exe	Process created: C:\Users\user\Downloads\McAfeeStinger.exe "C:\Users\user\Downloads\McAfeeStinger.exe" --update
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1688,16494396912243797666,5406229403683992866,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2008 /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1688,16494396912243797666,5406229403683992866,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6108 /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1688,16494396912243797666,5406229403683992866,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3884 /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1688,16494396912243797666,5406229403683992866,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3784 /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1688,16494396912243797666,5406229403683992866,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4080 /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Downloads\McAfeeStinger.exe	Process created: C:\Users\user\Downloads\McAfeeStinger.exe "C:\Users\user\Downloads\McAfeeStinger.exe" --update	Jump to behavior

Source: C:\Users\user\Downloads\McAfeeStinger.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Downloads\McAfeeStinger.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Downloads\McAfeeStinger.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Downloads\McAfeeStinger.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Downloads\McAfeeStinger.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Downloads\McAfeeStinger.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\Downloads\McAfeeStinger.exe	Section loaded: msftedit.dll	Jump to behavior
Source: C:\Users\user\Downloads\McAfeeStinger.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Downloads\McAfeeStinger.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Downloads\McAfeeStinger.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Downloads\McAfeeStinger.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Downloads\McAfeeStinger.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Downloads\McAfeeStinger.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Downloads\McAfeeStinger.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Downloads\McAfeeStinger.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Downloads\McAfeeStinger.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Downloads\McAfeeStinger.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Downloads\McAfeeStinger.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Downloads\McAfeeStinger.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Downloads\McAfeeStinger.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Downloads\McAfeeStinger.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Downloads\McAfeeStinger.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Downloads\McAfeeStinger.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Downloads\McAfeeStinger.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Downloads\McAfeeStinger.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Downloads\McAfeeStinger.exe	Section loaded: cryptnet.dll	Jump to behavior
Source: C:\Users\user\Downloads\McAfeeStinger.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Downloads\McAfeeStinger.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Downloads\McAfeeStinger.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Downloads\McAfeeStinger.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Downloads\McAfeeStinger.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\Downloads\McAfeeStinger.exe	Section loaded: msftedit.dll	Jump to behavior
Source: C:\Users\user\Downloads\McAfeeStinger.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Downloads\McAfeeStinger.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Downloads\McAfeeStinger.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Downloads\McAfeeStinger.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Downloads\McAfeeStinger.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Downloads\McAfeeStinger.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Downloads\McAfeeStinger.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Downloads\McAfeeStinger.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Downloads\McAfeeStinger.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Downloads\McAfeeStinger.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Downloads\McAfeeStinger.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Downloads\McAfeeStinger.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Downloads\McAfeeStinger.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Downloads\McAfeeStinger.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Downloads\McAfeeStinger.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Downloads\McAfeeStinger.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Downloads\McAfeeStinger.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Downloads\McAfeeStinger.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Downloads\McAfeeStinger.exe	Section loaded: cryptnet.dll	Jump to behavior

Source: C:\Users\user\Downloads\McAfeeStinger.exe	Code function: 11_2_00007FF6ACC19332 push 380F0003h; retf	11_2_00007FF6ACC19337
Source: C:\Users\user\Downloads\McAfeeStinger.exe	Code function: 11_2_00007FF6ACC192BC push 380F0003h; retf	11_2_00007FF6ACC192C1
Source: C:\Users\user\Downloads\McAfeeStinger.exe	Code function: 11_2_00007FF6ACC19245 push 380F0003h; retf	11_2_00007FF6ACC1924B

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\Downloads\bedb9404-1434-4489-b3f3-9a06b7c9028e.tmp	Jump to dropped file
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\Downloads\Unconfirmed 115533.crdownload (copy)	Jump to dropped file
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\Downloads\McAfeeStinger.exe (copy)	Jump to dropped file

Source: C:\Users\user\Downloads\McAfeeStinger.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Downloads\McAfeeStinger.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Source: McAfeeStinger.exe, 0000000B.00000002.16253412965.000002971409C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll@@"CP
Source: McAfeeStinger.exe, 0000000C.00000002.16336001123.0000017CF011B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll0

Source: C:\Users\user\Downloads\McAfeeStinger.exe	Queries volume information: C:\ProgramData VolumeInformation	Jump to behavior
Source: C:\Users\user\Downloads\McAfeeStinger.exe	Queries volume information: C:\ProgramData\mcafee.ico VolumeInformation	Jump to behavior
Source: C:\Users\user\Downloads\McAfeeStinger.exe	Queries volume information: C:\Users\user\AppData\Local\mcafee-stinger VolumeInformation	Jump to behavior

Source: C:\Users\user\Downloads\McAfeeStinger.exe	Code function: 11_2_00007FF6ACC19E56 bind,		11_2_00007FF6ACC19E56
Source: C:\Users\user\Downloads\McAfeeStinger.exe	Code function: 11_2_00007FF6ACC198DB WSASocketW,WSAGetLastError,WSASocketW,SetHandleInformation,GetLastError,bind,WSAGetLastError,closesocket,WSAGetLastError,closesocket,		11_2_00007FF6ACC198DB

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
172.253.122.106	www.google.com	United States		15169	GOOGLEUS	false
239.255.255.250	unknown	Reserved		unknown	unknown	false

Name	IP	Active
www.google.com	172.253.122.106	true
www.mcafee.com	unknown	unknown
downloadcenter.trellix.com	unknown	unknown
download.nai.com	unknown	unknown

ID:	1432276
Product:	CloudBasic
Start time:	19:11:02
Start date:	26.04.2024
Cookbook:	browseurl.jbs
System description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Architecture:	WINDOWS

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\mcafee.ico	MS Windows icon resource - 3 icons, 48x48, 32 bits/pixel, 32x32, 32 bits/pixel	EBB7784F41E283B042AF365DC54E9A0D	099BD47831572B8C90CACF67E20940B72C8F4FD4	D38DB89D5E998B9F21899A985F3B1366A3610DC13213A93CF4E96620BBC64B0E
C:\Users\user\AppData\Local\Temp\nwg5202.tmp	ASCII text	90FEB8EDF41C48A02D0320766AFE6A4B	2D1616FA27FB8B48521F7F362509B97741E2439A	70C7A70EEDD5B93E686AA0BC81BBA03D2E35228FF05BCDB3CC1EB3756E569B5C
C:\Users\user\AppData\Local\Temp\nwg553E.tmp	ASCII text	90FEB8EDF41C48A02D0320766AFE6A4B	2D1616FA27FB8B48521F7F362509B97741E2439A	70C7A70EEDD5B93E686AA0BC81BBA03D2E35228FF05BCDB3CC1EB3756E569B5C
C:\Users\user\AppData\Local\mcafee-stinger\avvdat.ini	ASCII text, with CRLF line terminators	AAB02FE1701F2564CE0C6E833F8CCD7F	3C715A61241567AD852095CA391AB44190E0CCAC	A5FFCB077CD35B78C8695A98A6F7362B0D5587E76CDC836A9828A3A9813DD3E5
C:\Users\user\Downloads\McAfeeStinger.exe (copy)	PE32+ executable (GUI) x86-64, for MS Windows	288187598BA5069F4211E8253C177011	727638AC8B242C79501BCA1DCD88BC4B3DF0B544	352E0DD5F80E03C0C5641F8E06C7D90611F74D420B0C4B9B2E289B363D176874
C:\Users\user\Downloads\Unconfirmed 115533.crdownload (copy)	PE32+ executable (GUI) x86-64, for MS Windows	288187598BA5069F4211E8253C177011	727638AC8B242C79501BCA1DCD88BC4B3DF0B544	352E0DD5F80E03C0C5641F8E06C7D90611F74D420B0C4B9B2E289B363D176874
C:\Users\user\Downloads\bedb9404-1434-4489-b3f3-9a06b7c9028e.tmp	PE32+ executable (GUI) x86-64, for MS Windows	288187598BA5069F4211E8253C177011	727638AC8B242C79501BCA1DCD88BC4B3DF0B544	352E0DD5F80E03C0C5641F8E06C7D90611F74D420B0C4B9B2E289B363D176874

Windows Analysis Report https://cgigroup.blob.core.windows.net/cgi-protective-monitoring-service/tools/get-stinger.html

Overview

General Information

Detection

Signatures

Classification

Signatures

Cryptography

Phishing

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Windows Analysis Report
https://cgigroup.blob.core.windows.net/cgi-protective-monitoring-service/tools/get-stinger.html