Analysis Overview
SHA256
faf9b23508c4445bf9017cacb3b4f08f39d0cd0cd48cc17156320abb6083d9c7
Threat Level: Known bad
The file ngg_cl.zip was found to be: Known bad.
Malicious Activity Summary
NetSupport
Program crash
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2023-05-29 05:26
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-05-29 05:26
Reported
2023-05-29 05:28
Platform
win7-20230220-en
Max time kernel
30s
Max time network
33s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2044 wrote to memory of 860 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2044 wrote to memory of 860 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2044 wrote to memory of 860 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2044 wrote to memory of 860 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2044 wrote to memory of 860 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2044 wrote to memory of 860 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2044 wrote to memory of 860 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\AudioCapture.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\AudioCapture.dll,#1
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2023-05-29 05:26
Reported
2023-05-29 05:28
Platform
win10v2004-20230220-en
Max time kernel
135s
Max time network
153s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3032 wrote to memory of 2520 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3032 wrote to memory of 2520 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3032 wrote to memory of 2520 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\AudioCapture.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\AudioCapture.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 123.108.74.40.in-addr.arpa | udp |
| US | 40.125.122.176:443 | tcp | |
| US | 20.42.73.26:443 | tcp | |
| US | 40.125.122.176:443 | tcp | |
| US | 8.8.8.8:53 | 1.77.109.52.in-addr.arpa | udp |
| US | 93.184.221.240:80 | tcp | |
| NL | 173.223.113.164:443 | tcp | |
| NL | 173.223.113.131:80 | tcp | |
| NL | 173.223.113.131:80 | tcp | |
| US | 204.79.197.203:80 | tcp | |
| US | 40.125.122.176:443 | tcp | |
| US | 40.125.122.176:443 | tcp | |
| US | 40.125.122.176:443 | tcp | |
| US | 40.125.122.176:443 | tcp |
Files
Analysis: behavioral4
Detonation Overview
Submitted
2023-05-29 05:26
Reported
2023-05-29 05:28
Platform
win10v2004-20230220-en
Max time kernel
138s
Max time network
144s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4024 wrote to memory of 4720 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4024 wrote to memory of 4720 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4024 wrote to memory of 4720 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\HTCTL32.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\HTCTL32.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4720 -ip 4720
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4720 -s 640
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 123.108.74.40.in-addr.arpa | udp |
| US | 93.184.220.29:80 | tcp | |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| FR | 40.79.141.153:443 | tcp | |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 52.152.110.14:443 | tcp | |
| US | 8.8.8.8:53 | 134.121.24.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 177.238.32.23.in-addr.arpa | udp |
| US | 52.152.110.14:443 | tcp | |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 62.13.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 229.78.74.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 191.94.239.20.in-addr.arpa | udp |
| US | 52.152.110.14:443 | tcp | |
| US | 52.152.110.14:443 | tcp | |
| NL | 173.223.113.164:443 | tcp | |
| IE | 20.54.89.15:443 | tcp | |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.36.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
Files
Analysis: behavioral6
Detonation Overview
Submitted
2023-05-29 05:26
Reported
2023-05-29 05:28
Platform
win10v2004-20230221-en
Max time kernel
92s
Max time network
106s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 392 wrote to memory of 3400 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 392 wrote to memory of 3400 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 392 wrote to memory of 3400 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\PCICHEK.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\PCICHEK.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.38.195.152.in-addr.arpa | udp |
| US | 20.189.173.10:443 | tcp | |
| US | 8.8.8.8:53 | 233.141.123.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| NL | 173.223.113.164:443 | tcp | |
| NL | 173.223.113.131:80 | tcp | |
| US | 204.79.197.203:80 | tcp | |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
Files
Analysis: behavioral7
Detonation Overview
Submitted
2023-05-29 05:26
Reported
2023-05-29 05:28
Platform
win7-20230220-en
Max time kernel
31s
Max time network
34s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2028 wrote to memory of 1748 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2028 wrote to memory of 1748 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2028 wrote to memory of 1748 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2028 wrote to memory of 1748 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2028 wrote to memory of 1748 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2028 wrote to memory of 1748 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2028 wrote to memory of 1748 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\PCICL32.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\PCICL32.dll,#1
Network
Files
Analysis: behavioral10
Detonation Overview
Submitted
2023-05-29 05:26
Reported
2023-05-29 05:28
Platform
win10v2004-20230220-en
Max time kernel
140s
Max time network
153s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4336 wrote to memory of 4628 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4336 wrote to memory of 4628 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4336 wrote to memory of 4628 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\TCCTL32.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\TCCTL32.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 209.197.3.8:80 | tcp | |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 52.242.101.226:443 | tcp | |
| US | 8.8.8.8:53 | 37.184.99.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 52.242.101.226:443 | tcp | |
| US | 52.242.101.226:443 | tcp | |
| FR | 51.11.192.49:443 | tcp | |
| US | 52.242.101.226:443 | tcp | |
| US | 8.8.8.8:53 | 1.77.109.52.in-addr.arpa | udp |
| US | 52.242.101.226:443 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 52.242.101.226:443 | tcp | |
| US | 52.242.101.226:443 | tcp | |
| US | 52.242.101.226:443 | tcp | |
| US | 52.242.101.226:443 | tcp | |
| US | 52.242.101.226:443 | tcp | |
| US | 52.242.101.226:443 | tcp | |
| US | 52.242.101.226:443 | tcp | |
| US | 52.242.101.226:443 | tcp |
Files
Analysis: behavioral14
Detonation Overview
Submitted
2023-05-29 05:26
Reported
2023-05-29 05:28
Platform
win10v2004-20230220-en
Max time kernel
135s
Max time network
153s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2188 wrote to memory of 4104 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2188 wrote to memory of 4104 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2188 wrote to memory of 4104 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\msvcr100.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\msvcr100.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4104 -ip 4104
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4104 -s 600
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 109.133.99.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 52.152.110.14:443 | tcp | |
| US | 52.182.141.63:443 | tcp | |
| NL | 173.223.113.164:443 | tcp | |
| US | 204.79.197.203:80 | tcp | |
| US | 52.152.110.14:443 | tcp | |
| US | 8.8.8.8:53 | 64.13.109.52.in-addr.arpa | udp |
| US | 13.107.4.50:80 | tcp | |
| US | 52.152.110.14:443 | tcp | |
| US | 52.152.110.14:443 | tcp | |
| US | 52.152.110.14:443 | tcp | |
| US | 52.152.110.14:443 | tcp |
Files
Analysis: behavioral13
Detonation Overview
Submitted
2023-05-29 05:26
Reported
2023-05-29 05:28
Platform
win7-20230220-en
Max time kernel
29s
Max time network
32s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\msvcr100.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\msvcr100.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2032 -s 224
Network
Files
Analysis: behavioral3
Detonation Overview
Submitted
2023-05-29 05:26
Reported
2023-05-29 05:28
Platform
win7-20230220-en
Max time kernel
29s
Max time network
33s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 916 wrote to memory of 1512 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 916 wrote to memory of 1512 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 916 wrote to memory of 1512 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 916 wrote to memory of 1512 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 916 wrote to memory of 1512 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 916 wrote to memory of 1512 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 916 wrote to memory of 1512 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\HTCTL32.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\HTCTL32.dll,#1
Network
Files
Analysis: behavioral5
Detonation Overview
Submitted
2023-05-29 05:26
Reported
2023-05-29 05:28
Platform
win7-20230220-en
Max time kernel
31s
Max time network
34s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1420 wrote to memory of 1508 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1420 wrote to memory of 1508 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1420 wrote to memory of 1508 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1420 wrote to memory of 1508 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1420 wrote to memory of 1508 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1420 wrote to memory of 1508 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1420 wrote to memory of 1508 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\PCICHEK.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\PCICHEK.dll,#1
Network
Files
Analysis: behavioral8
Detonation Overview
Submitted
2023-05-29 05:26
Reported
2023-05-29 05:28
Platform
win10v2004-20230220-en
Max time kernel
150s
Max time network
152s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2128 wrote to memory of 4144 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2128 wrote to memory of 4144 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2128 wrote to memory of 4144 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\PCICL32.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\PCICL32.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.103.197.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 52.242.101.226:443 | tcp | |
| IE | 20.50.73.9:443 | tcp | |
| US | 52.242.101.226:443 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| NL | 173.223.113.164:443 | tcp | |
| NL | 173.223.113.131:80 | tcp | |
| US | 204.79.197.203:80 | tcp | |
| US | 52.242.101.226:443 | tcp | |
| US | 8.8.8.8:53 | 64.13.109.52.in-addr.arpa | udp |
| US | 52.242.101.226:443 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 52.242.101.226:443 | tcp | |
| US | 52.242.101.226:443 | tcp | |
| US | 52.242.101.226:443 | tcp | |
| US | 52.242.101.226:443 | tcp | |
| US | 52.242.101.226:443 | tcp | |
| US | 52.242.101.226:443 | tcp | |
| US | 52.242.101.226:443 | tcp | |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
Files
Analysis: behavioral9
Detonation Overview
Submitted
2023-05-29 05:26
Reported
2023-05-29 05:28
Platform
win7-20230220-en
Max time kernel
27s
Max time network
30s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1040 wrote to memory of 1740 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1040 wrote to memory of 1740 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1040 wrote to memory of 1740 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1040 wrote to memory of 1740 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1040 wrote to memory of 1740 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1040 wrote to memory of 1740 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1040 wrote to memory of 1740 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\TCCTL32.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\TCCTL32.dll,#1
Network
Files
Analysis: behavioral11
Detonation Overview
Submitted
2023-05-29 05:26
Reported
2023-05-29 05:28
Platform
win7-20230220-en
Max time kernel
29s
Max time network
147s
Command Line
Signatures
NetSupport
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\client32.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\client32.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\client32.exe
"C:\Users\Admin\AppData\Local\Temp\client32.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | xoomep1.com | udp |
| NL | 80.66.88.143:1935 | xoomep1.com | tcp |
| US | 8.8.8.8:53 | geo.netsupportsoftware.com | udp |
| GB | 62.172.138.67:80 | geo.netsupportsoftware.com | tcp |
Files
Analysis: behavioral12
Detonation Overview
Submitted
2023-05-29 05:26
Reported
2023-05-29 05:28
Platform
win10v2004-20230220-en
Max time kernel
133s
Max time network
136s
Command Line
Signatures
NetSupport
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\client32.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\client32.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\client32.exe
"C:\Users\Admin\AppData\Local\Temp\client32.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xoomep1.com | udp |
| NL | 80.66.88.143:1935 | xoomep1.com | tcp |
| US | 8.8.8.8:53 | geo.netsupportsoftware.com | udp |
| GB | 51.142.119.24:80 | geo.netsupportsoftware.com | tcp |
| US | 8.8.8.8:53 | 143.88.66.80.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.119.142.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.103.197.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 123.108.74.40.in-addr.arpa | udp |
| US | 52.242.101.226:443 | tcp | |
| US | 52.242.101.226:443 | tcp | |
| US | 20.42.73.25:443 | tcp | |
| US | 52.242.101.226:443 | tcp | |
| NL | 173.223.113.164:443 | tcp | |
| US | 52.242.101.226:443 | tcp | |
| US | 8.8.8.8:53 | 45.8.109.52.in-addr.arpa | udp |
| US | 209.197.3.8:80 | tcp | |
| US | 52.242.101.226:443 | tcp | |
| NL | 173.223.113.131:80 | tcp | |
| US | 204.79.197.203:80 | tcp | |
| US | 52.242.101.226:443 | tcp | |
| US | 52.242.101.226:443 | tcp | |
| US | 40.77.2.164:443 | tcp | |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.36.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
Files
Analysis: behavioral16
Detonation Overview
Submitted
2023-05-29 05:26
Reported
2023-05-29 05:28
Platform
win10v2004-20230220-en
Max time kernel
135s
Max time network
153s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4596 wrote to memory of 3524 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4596 wrote to memory of 3524 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4596 wrote to memory of 3524 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\pcicapi.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\pcicapi.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 40.125.122.176:443 | tcp | |
| US | 13.89.179.8:443 | tcp | |
| US | 40.125.122.176:443 | tcp | |
| US | 8.8.8.8:53 | 64.13.109.52.in-addr.arpa | udp |
| NL | 8.238.21.254:80 | tcp | |
| NL | 8.238.21.254:80 | tcp | |
| US | 40.125.122.176:443 | tcp | |
| NL | 8.238.21.254:80 | tcp | |
| NL | 8.238.21.254:80 | tcp | |
| NL | 173.223.113.164:443 | tcp | |
| US | 40.125.122.176:443 | tcp | |
| NL | 173.223.113.131:80 | tcp | |
| US | 131.253.33.203:80 | tcp | |
| US | 40.125.122.176:443 | tcp | |
| US | 40.125.122.176:443 | tcp |
Files
Analysis: behavioral15
Detonation Overview
Submitted
2023-05-29 05:26
Reported
2023-05-29 05:28
Platform
win7-20230220-en
Max time kernel
31s
Max time network
34s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 836 wrote to memory of 1696 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 836 wrote to memory of 1696 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 836 wrote to memory of 1696 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 836 wrote to memory of 1696 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 836 wrote to memory of 1696 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 836 wrote to memory of 1696 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 836 wrote to memory of 1696 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\pcicapi.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\pcicapi.dll,#1
Network
Files
Analysis: behavioral17
Detonation Overview
Submitted
2023-05-29 05:26
Reported
2023-05-29 05:28
Platform
win7-20230220-en
Max time kernel
31s
Max time network
34s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\remcmdstub.exe
"C:\Users\Admin\AppData\Local\Temp\remcmdstub.exe"
Network
Files
Analysis: behavioral18
Detonation Overview
Submitted
2023-05-29 05:26
Reported
2023-05-29 05:28
Platform
win10v2004-20230220-en
Max time kernel
135s
Max time network
154s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\remcmdstub.exe
"C:\Users\Admin\AppData\Local\Temp\remcmdstub.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 20.42.72.131:443 | tcp | |
| US | 40.125.122.176:443 | tcp | |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 209.197.3.8:80 | tcp | |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| NL | 173.223.113.164:443 | tcp | |
| NL | 173.223.113.131:80 | tcp | |
| US | 204.79.197.203:80 | tcp | |
| US | 40.125.122.176:443 | tcp | |
| US | 8.8.8.8:53 | 64.13.109.52.in-addr.arpa | udp |
| US | 209.197.3.8:80 | tcp | |
| US | 40.125.122.176:443 | tcp | |
| US | 40.125.122.176:443 | tcp | |
| US | 40.125.122.176:443 | tcp | |
| US | 40.125.122.176:443 | tcp |