Malware Analysis Report

2025-06-15 21:45

Sample ID 230409-wxxjzseb9s
Target SAMTOOLv2.1.1.2.rar
SHA256 25d32aaaf985ce7bb19efb21c0c0cbfd71a454dc4d421131e9faf2e25bc1bba0
Tags
agilenet
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

25d32aaaf985ce7bb19efb21c0c0cbfd71a454dc4d421131e9faf2e25bc1bba0

Threat Level: Shows suspicious behavior

The file SAMTOOLv2.1.1.2.rar was found to be: Shows suspicious behavior.

Malicious Activity Summary

agilenet

Obfuscated with Agile.Net obfuscator

Program crash

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2023-04-09 18:18

Signatures

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2023-04-09 18:18

Reported

2023-04-09 18:21

Platform

win10v2004-20230220-en

Max time kernel

150s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SAMTOOL.exe"

Signatures

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SAMTOOL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SAMTOOL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SAMTOOL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SAMTOOL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SAMTOOL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SAMTOOL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SAMTOOL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SAMTOOL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SAMTOOL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SAMTOOL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SAMTOOL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SAMTOOL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SAMTOOL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SAMTOOL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SAMTOOL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SAMTOOL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SAMTOOL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SAMTOOL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SAMTOOL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SAMTOOL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SAMTOOL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SAMTOOL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SAMTOOL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SAMTOOL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SAMTOOL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SAMTOOL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SAMTOOL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SAMTOOL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SAMTOOL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SAMTOOL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SAMTOOL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SAMTOOL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SAMTOOL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SAMTOOL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SAMTOOL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SAMTOOL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SAMTOOL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SAMTOOL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SAMTOOL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SAMTOOL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SAMTOOL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SAMTOOL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SAMTOOL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SAMTOOL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SAMTOOL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SAMTOOL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SAMTOOL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SAMTOOL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SAMTOOL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SAMTOOL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SAMTOOL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SAMTOOL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SAMTOOL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SAMTOOL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SAMTOOL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SAMTOOL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SAMTOOL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SAMTOOL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SAMTOOL.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SAMTOOL.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\SAMTOOL.exe

"C:\Users\Admin\AppData\Local\Temp\SAMTOOL.exe"

C:\Users\Admin\AppData\Local\Temp\ADB\adb.exe

"C:\Users\Admin\AppData\Local\Temp\ADB\adb.exe" version

C:\Users\Admin\AppData\Local\Temp\ADB\adb.exe

"C:\Users\Admin\AppData\Local\Temp\ADB\adb.exe" start-server

C:\Users\Admin\AppData\Local\Temp\ADB\adb.exe

adb -L tcp:5037 fork-server server --reply-fd 564

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 93.184.221.240:80 tcp
US 8.8.8.8:53 5.233.140.95.in-addr.arpa udp
N/A 127.0.0.1:5037 tcp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 76.38.195.152.in-addr.arpa udp
N/A 127.0.0.1:5037 tcp
N/A 127.0.0.1:49758 tcp
N/A 127.0.0.1:5555 tcp
N/A 127.0.0.1:5354 tcp
N/A 127.0.0.1:49766 tcp
N/A 127.0.0.1:5557 tcp
N/A 127.0.0.1:5559 tcp
N/A 127.0.0.1:5561 tcp
N/A 127.0.0.1:5563 tcp
N/A 127.0.0.1:5565 tcp
US 52.152.108.96:443 tcp
N/A 127.0.0.1:5567 tcp
N/A 127.0.0.1:5569 tcp
N/A 127.0.0.1:5571 tcp
FR 40.79.141.154:443 tcp
N/A 127.0.0.1:5573 tcp
N/A 127.0.0.1:5575 tcp
N/A 127.0.0.1:5577 tcp
N/A 127.0.0.1:5579 tcp
N/A 127.0.0.1:5581 tcp
N/A 127.0.0.1:5583 tcp
US 8.8.8.8:53 203.151.224.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
N/A 127.0.0.1:5585 tcp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 204.79.197.203:80 tcp

Files

memory/4932-133-0x0000000000F20000-0x000000000142E000-memory.dmp

memory/4932-134-0x00000000065B0000-0x0000000006B54000-memory.dmp

memory/4932-135-0x0000000005EA0000-0x0000000005F32000-memory.dmp

memory/4932-136-0x0000000005FF0000-0x0000000006000000-memory.dmp

memory/4932-137-0x0000000006200000-0x000000000620A000-memory.dmp

memory/4932-138-0x0000000005FF0000-0x0000000006000000-memory.dmp

memory/4932-139-0x000000000EE20000-0x000000000EE86000-memory.dmp

memory/4932-141-0x000000000A910000-0x000000000A92A000-memory.dmp

memory/4932-142-0x0000000005FF0000-0x0000000006000000-memory.dmp

memory/4932-143-0x000000000AC50000-0x000000000AC58000-memory.dmp

memory/3944-144-0x0000000000400000-0x00000000005E7000-memory.dmp

memory/4932-145-0x0000000005FF0000-0x0000000006000000-memory.dmp

memory/4932-146-0x0000000005FF0000-0x0000000006000000-memory.dmp

memory/4348-150-0x0000000000400000-0x00000000005E7000-memory.dmp

memory/4932-151-0x0000000005FF0000-0x0000000006000000-memory.dmp

memory/4472-152-0x0000000000400000-0x00000000005E7000-memory.dmp

memory/4472-153-0x0000000000400000-0x00000000005E7000-memory.dmp

memory/4472-155-0x0000000000400000-0x00000000005E7000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2023-04-09 18:18

Reported

2023-04-09 18:19

Platform

win7-20230220-en

Max time kernel

26s

Max time network

31s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ADB\AdbWinApi.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ADB\AdbWinApi.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ADB\AdbWinApi.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1048 -s 252

C:\Windows\explorer.exe

"C:\Windows\explorer.exe"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x310

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2023-04-09 18:18

Reported

2023-04-09 18:21

Platform

win10v2004-20230221-en

Max time kernel

158s

Max time network

172s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ADB\AdbWinUsbApi.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2136 wrote to memory of 1672 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2136 wrote to memory of 1672 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2136 wrote to memory of 1672 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ADB\AdbWinUsbApi.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ADB\AdbWinUsbApi.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1672 -ip 1672

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1672 -s 616

Network

Country Destination Domain Proto
US 209.197.3.8:80 tcp
US 52.152.110.14:443 tcp
US 20.44.10.123:443 tcp
US 8.8.8.8:53 143.145.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 44.8.109.52.in-addr.arpa udp
US 52.152.110.14:443 tcp
US 209.197.3.8:80 tcp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 52.152.110.14:443 tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 204.79.197.203:80 tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 52.152.110.14:443 tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 52.152.110.14:443 tcp
US 52.152.110.14:443 tcp
US 52.152.110.14:443 tcp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2023-04-09 18:18

Reported

2023-04-09 18:21

Platform

win7-20230220-en

Max time kernel

30s

Max time network

33s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ADB\adb.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ADB\adb.exe

"C:\Users\Admin\AppData\Local\Temp\ADB\adb.exe"

Network

N/A

Files

memory/1376-54-0x0000000000400000-0x00000000005E7000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2023-04-09 18:18

Reported

2023-04-09 18:21

Platform

win7-20230220-en

Max time kernel

143s

Max time network

33s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SAMTOOL.exe"

Signatures

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SAMTOOL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SAMTOOL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SAMTOOL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SAMTOOL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SAMTOOL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SAMTOOL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SAMTOOL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SAMTOOL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SAMTOOL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SAMTOOL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SAMTOOL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SAMTOOL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SAMTOOL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SAMTOOL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SAMTOOL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SAMTOOL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SAMTOOL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SAMTOOL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SAMTOOL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SAMTOOL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SAMTOOL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SAMTOOL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SAMTOOL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SAMTOOL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SAMTOOL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SAMTOOL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SAMTOOL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SAMTOOL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SAMTOOL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SAMTOOL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SAMTOOL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SAMTOOL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SAMTOOL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SAMTOOL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SAMTOOL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SAMTOOL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SAMTOOL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SAMTOOL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SAMTOOL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SAMTOOL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SAMTOOL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SAMTOOL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SAMTOOL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SAMTOOL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SAMTOOL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SAMTOOL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SAMTOOL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SAMTOOL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SAMTOOL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SAMTOOL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SAMTOOL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SAMTOOL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SAMTOOL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SAMTOOL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SAMTOOL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SAMTOOL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SAMTOOL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SAMTOOL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SAMTOOL.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SAMTOOL.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1300 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\SAMTOOL.exe C:\Users\Admin\AppData\Local\Temp\ADB\adb.exe
PID 1300 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\SAMTOOL.exe C:\Users\Admin\AppData\Local\Temp\ADB\adb.exe
PID 1300 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\SAMTOOL.exe C:\Users\Admin\AppData\Local\Temp\ADB\adb.exe
PID 1300 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\SAMTOOL.exe C:\Users\Admin\AppData\Local\Temp\ADB\adb.exe
PID 1300 wrote to memory of 388 N/A C:\Users\Admin\AppData\Local\Temp\SAMTOOL.exe C:\Users\Admin\AppData\Local\Temp\ADB\adb.exe
PID 1300 wrote to memory of 388 N/A C:\Users\Admin\AppData\Local\Temp\SAMTOOL.exe C:\Users\Admin\AppData\Local\Temp\ADB\adb.exe
PID 1300 wrote to memory of 388 N/A C:\Users\Admin\AppData\Local\Temp\SAMTOOL.exe C:\Users\Admin\AppData\Local\Temp\ADB\adb.exe
PID 1300 wrote to memory of 388 N/A C:\Users\Admin\AppData\Local\Temp\SAMTOOL.exe C:\Users\Admin\AppData\Local\Temp\ADB\adb.exe
PID 388 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\ADB\adb.exe C:\Users\Admin\AppData\Local\Temp\ADB\adb.exe
PID 388 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\ADB\adb.exe C:\Users\Admin\AppData\Local\Temp\ADB\adb.exe
PID 388 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\ADB\adb.exe C:\Users\Admin\AppData\Local\Temp\ADB\adb.exe
PID 388 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\ADB\adb.exe C:\Users\Admin\AppData\Local\Temp\ADB\adb.exe

Processes

C:\Users\Admin\AppData\Local\Temp\SAMTOOL.exe

"C:\Users\Admin\AppData\Local\Temp\SAMTOOL.exe"

C:\Users\Admin\AppData\Local\Temp\ADB\adb.exe

"C:\Users\Admin\AppData\Local\Temp\ADB\adb.exe" version

C:\Users\Admin\AppData\Local\Temp\ADB\adb.exe

"C:\Users\Admin\AppData\Local\Temp\ADB\adb.exe" start-server

C:\Users\Admin\AppData\Local\Temp\ADB\adb.exe

adb -L tcp:5037 fork-server server --reply-fd 256

Network

Country Destination Domain Proto
N/A 127.0.0.1:5037 tcp
N/A 127.0.0.1:5037 tcp
N/A 127.0.0.1:49184 tcp
N/A 127.0.0.1:5555 tcp
N/A 127.0.0.1:5354 tcp
N/A 127.0.0.1:5557 tcp
N/A 127.0.0.1:49192 tcp
N/A 127.0.0.1:5559 tcp
N/A 127.0.0.1:5561 tcp
N/A 127.0.0.1:5563 tcp
N/A 127.0.0.1:5565 tcp
N/A 127.0.0.1:5567 tcp
N/A 127.0.0.1:5569 tcp
N/A 127.0.0.1:5571 tcp
N/A 127.0.0.1:5573 tcp
N/A 127.0.0.1:5575 tcp
N/A 127.0.0.1:5577 tcp
N/A 127.0.0.1:5579 tcp
N/A 127.0.0.1:5581 tcp
N/A 127.0.0.1:5583 tcp
N/A 127.0.0.1:5585 tcp

Files

memory/1300-54-0x0000000000AE0000-0x0000000000FEE000-memory.dmp

memory/1300-55-0x0000000000440000-0x000000000045E000-memory.dmp

memory/1300-56-0x0000000004580000-0x00000000045EE000-memory.dmp

memory/1300-57-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1300-58-0x0000000000A60000-0x0000000000A7C000-memory.dmp

memory/1300-59-0x00000000049D0000-0x00000000049F0000-memory.dmp

memory/1300-60-0x00000000049F0000-0x0000000004A10000-memory.dmp

memory/1300-62-0x0000000004A10000-0x0000000004A1E000-memory.dmp

memory/1300-61-0x0000000004F50000-0x0000000004FAA000-memory.dmp

memory/1300-63-0x0000000004A20000-0x0000000004A3E000-memory.dmp

memory/1300-64-0x0000000004FE0000-0x0000000004FF0000-memory.dmp

memory/1300-65-0x00000000050F0000-0x000000000523E000-memory.dmp

memory/1300-66-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1300-67-0x0000000006060000-0x0000000006286000-memory.dmp

memory/1300-68-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1300-70-0x0000000009E80000-0x0000000009EAC000-memory.dmp

memory/1300-71-0x000000000D0A0000-0x000000000D0B0000-memory.dmp

memory/1300-72-0x000000000D120000-0x000000000D13A000-memory.dmp

memory/1300-73-0x0000000005F90000-0x0000000005F98000-memory.dmp

memory/1504-74-0x0000000000400000-0x00000000005E7000-memory.dmp

memory/388-78-0x0000000000400000-0x00000000005E7000-memory.dmp

memory/1300-79-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1300-80-0x0000000000400000-0x0000000000440000-memory.dmp

memory/852-81-0x0000000000400000-0x00000000005E7000-memory.dmp

memory/1300-82-0x0000000000400000-0x0000000000440000-memory.dmp

memory/852-83-0x0000000000400000-0x00000000005E7000-memory.dmp

memory/852-84-0x0000000000400000-0x00000000005E7000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-04-09 18:18

Reported

2023-04-09 18:21

Platform

win10v2004-20230220-en

Max time kernel

86s

Max time network

97s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ADB\AdbWinApi.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2128 wrote to memory of 3336 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2128 wrote to memory of 3336 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2128 wrote to memory of 3336 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ADB\AdbWinApi.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ADB\AdbWinApi.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 3336 -ip 3336

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3336 -s 624

Network

Country Destination Domain Proto
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 52.152.108.96:443 tcp
US 20.189.173.12:443 tcp
US 8.8.8.8:53 44.8.109.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
NL 8.238.20.126:80 tcp
US 93.184.220.29:80 tcp
NL 8.238.20.126:80 tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 131.253.33.203:80 tcp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2023-04-09 18:18

Reported

2023-04-09 18:21

Platform

win7-20230220-en

Max time kernel

28s

Max time network

31s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ADB\AdbWinUsbApi.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1992 wrote to memory of 2004 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1992 wrote to memory of 2004 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1992 wrote to memory of 2004 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1992 wrote to memory of 2004 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1992 wrote to memory of 2004 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1992 wrote to memory of 2004 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1992 wrote to memory of 2004 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ADB\AdbWinUsbApi.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ADB\AdbWinUsbApi.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2023-04-09 18:18

Reported

2023-04-09 18:21

Platform

win10v2004-20230220-en

Max time kernel

91s

Max time network

107s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ADB\adb.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ADB\adb.exe

"C:\Users\Admin\AppData\Local\Temp\ADB\adb.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 178.238.32.23.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 20.189.173.9:443 tcp
US 8.8.8.8:53 44.8.109.52.in-addr.arpa udp
US 8.8.8.8:53 254.177.238.8.in-addr.arpa udp

Files

memory/2856-133-0x0000000000400000-0x00000000005E7000-memory.dmp