Analysis Overview
SHA256
8672b7df4c0acc1b75dcd966588e97f33f64a866b410a3aa2becb615715ea70a
Threat Level: Likely malicious
The file e55a88e3912ddc2ff9d019b31067c9a4 was found to be: Likely malicious.
Malicious Activity Summary
Office macro that triggers on suspicious action
Suspicious Office macro
Document created with cracked Office version
Unsigned PE
Program crash
Suspicious use of WriteProcessMemory
Modifies registry class
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2023-12-20 16:21
Signatures
Office macro that triggers on suspicious action
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious Office macro
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Document created with cracked Office version
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral4
Detonation Overview
Submitted
2023-12-20 16:19
Reported
2023-12-22 11:13
Platform
win10v2004-20231215-en
Max time kernel
137s
Max time network
148s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\regsvr32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2268 wrote to memory of 3224 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2268 wrote to memory of 3224 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2268 wrote to memory of 3224 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\client\Analysis.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\client\Analysis.dll
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3224 -ip 3224
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3224 -s 780
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 17.53.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
Files
memory/3224-0-0x0000000002C40000-0x0000000002FA4000-memory.dmp
memory/3224-3-0x0000000001380000-0x000000000142E000-memory.dmp
memory/3224-2-0x00000000035F0000-0x00000000037B2000-memory.dmp
memory/3224-1-0x00000000032D0000-0x00000000035E3000-memory.dmp
memory/3224-5-0x0000000003AA0000-0x0000000003D7E000-memory.dmp
memory/3224-6-0x0000000000DE0000-0x0000000000DFC000-memory.dmp
memory/3224-11-0x0000000003F30000-0x0000000003F66000-memory.dmp
memory/3224-10-0x0000000004010000-0x000000000413B000-memory.dmp
memory/3224-9-0x0000000003F70000-0x0000000004003000-memory.dmp
memory/3224-8-0x0000000001210000-0x000000000122F000-memory.dmp
memory/3224-12-0x0000000002FB0000-0x0000000003127000-memory.dmp
memory/3224-4-0x0000000001430000-0x000000000148B000-memory.dmp
memory/3224-7-0x0000000003D80000-0x0000000003F2C000-memory.dmp
Analysis: behavioral10
Detonation Overview
Submitted
2023-12-20 16:19
Reported
2023-12-22 11:14
Platform
win10v2004-20231215-en
Max time kernel
142s
Max time network
155s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2320 wrote to memory of 2860 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2320 wrote to memory of 2860 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2320 wrote to memory of 2860 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\client\Azk2ClientPack.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\client\Azk2ClientPack.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.53.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.173.189.20.in-addr.arpa | udp |
Files
memory/2860-0-0x0000000002CB0000-0x0000000002FC3000-memory.dmp
memory/2860-1-0x0000000002FD0000-0x0000000003192000-memory.dmp
memory/2860-2-0x00000000031A0000-0x000000000324E000-memory.dmp
memory/2860-5-0x0000000001320000-0x000000000137B000-memory.dmp
memory/2860-4-0x00000000035C0000-0x000000000389E000-memory.dmp
memory/2860-3-0x0000000003250000-0x00000000035B4000-memory.dmp
memory/2860-6-0x0000000001630000-0x0000000001666000-memory.dmp
memory/2860-7-0x00000000011F0000-0x000000000120C000-memory.dmp
Analysis: behavioral24
Detonation Overview
Submitted
2023-12-20 16:19
Reported
2023-12-22 11:15
Platform
win10v2004-20231215-en
Max time kernel
137s
Max time network
172s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 384 wrote to memory of 3096 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 384 wrote to memory of 3096 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 384 wrote to memory of 3096 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\client\ClientPack.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\client\ClientPack.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 138.91.171.81:80 | tcp | |
| US | 8.8.8.8:53 | 23.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.171.91.138.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.178.89.13.in-addr.arpa | udp |
Files
memory/3096-0-0x00000000023D0000-0x0000000002734000-memory.dmp
memory/3096-1-0x0000000002740000-0x0000000002A1E000-memory.dmp
memory/3096-3-0x0000000000D70000-0x0000000000F32000-memory.dmp
memory/3096-7-0x0000000002EA0000-0x0000000002ED6000-memory.dmp
memory/3096-6-0x0000000000820000-0x000000000083C000-memory.dmp
memory/3096-5-0x0000000000F40000-0x0000000000F9B000-memory.dmp
memory/3096-4-0x0000000002D40000-0x0000000002DEE000-memory.dmp
memory/3096-2-0x0000000002A20000-0x0000000002D33000-memory.dmp
Analysis: behavioral32
Detonation Overview
Submitted
2023-12-20 16:19
Reported
2023-12-22 11:14
Platform
win10v2004-20231215-en
Max time kernel
147s
Max time network
154s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\regsvr32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3368 wrote to memory of 664 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 3368 wrote to memory of 664 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 3368 wrote to memory of 664 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\client\Expense.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\client\Expense.dll
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 664 -ip 664
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 664 -s 780
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 85.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 178.223.142.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.143.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.171.91.138.in-addr.arpa | udp |
Files
memory/664-0-0x00000000029C0000-0x00000000034E1000-memory.dmp
memory/664-2-0x00000000034F0000-0x00000000037CE000-memory.dmp
memory/664-3-0x00000000037D0000-0x0000000003AE3000-memory.dmp
memory/664-4-0x0000000003E10000-0x0000000003FD2000-memory.dmp
memory/664-5-0x0000000003FE0000-0x000000000408E000-memory.dmp
memory/664-6-0x0000000002920000-0x000000000297B000-memory.dmp
memory/664-7-0x0000000004090000-0x000000000423C000-memory.dmp
memory/664-8-0x0000000004370000-0x000000000449B000-memory.dmp
memory/664-10-0x0000000001070000-0x000000000108C000-memory.dmp
memory/664-9-0x00000000044A0000-0x00000000044D6000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-20 16:19
Reported
2023-12-22 11:14
Platform
win7-20231215-en
Max time kernel
148s
Max time network
130s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\regsvr32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\client\Accounting.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\client\Accounting.dll
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2748 -s 384
Network
Files
memory/2748-0-0x0000000001EB0000-0x0000000001FBB000-memory.dmp
memory/2748-1-0x0000000001FC0000-0x0000000002324000-memory.dmp
memory/2748-2-0x0000000002330000-0x000000000260E000-memory.dmp
memory/2748-3-0x0000000000240000-0x000000000029B000-memory.dmp
memory/2748-4-0x0000000002610000-0x0000000002923000-memory.dmp
memory/2748-5-0x0000000002930000-0x0000000002AF2000-memory.dmp
memory/2748-6-0x0000000002B00000-0x0000000002BAE000-memory.dmp
memory/2748-7-0x00000000001B0000-0x00000000001E6000-memory.dmp
memory/2748-8-0x00000000002E0000-0x00000000002FC000-memory.dmp
memory/2748-9-0x0000000002BB0000-0x0000000002D5C000-memory.dmp
memory/2748-10-0x0000000002D60000-0x0000000002E8B000-memory.dmp
memory/2748-11-0x0000000002E90000-0x0000000002F23000-memory.dmp
memory/2748-12-0x0000000002F30000-0x00000000030A7000-memory.dmp
memory/2748-13-0x0000000001EB0000-0x0000000001FBB000-memory.dmp
memory/2748-14-0x0000000050050000-0x000000005064A000-memory.dmp
memory/2748-15-0x0000000050650000-0x0000000050A0E000-memory.dmp
memory/2748-17-0x0000000050CF0000-0x0000000050D8C000-memory.dmp
memory/2748-16-0x0000000001FC0000-0x0000000002324000-memory.dmp
memory/2748-18-0x00000000513F0000-0x0000000051456000-memory.dmp
memory/2748-19-0x0000000002330000-0x000000000260E000-memory.dmp
memory/2748-20-0x0000000050D90000-0x0000000050FDE000-memory.dmp
memory/2748-21-0x0000000000240000-0x000000000029B000-memory.dmp
memory/2748-22-0x0000000002610000-0x0000000002923000-memory.dmp
memory/2748-23-0x0000000051B90000-0x0000000051C4F000-memory.dmp
memory/2748-25-0x0000000050A10000-0x0000000050A56000-memory.dmp
memory/2748-26-0x0000000002930000-0x0000000002AF2000-memory.dmp
memory/2748-28-0x00000000510C0000-0x0000000051346000-memory.dmp
memory/2748-27-0x0000000051350000-0x00000000513A1000-memory.dmp
memory/2748-29-0x0000000051050000-0x00000000510B9000-memory.dmp
memory/2748-24-0x0000000050FE0000-0x0000000051027000-memory.dmp
memory/2748-30-0x0000000002B00000-0x0000000002BAE000-memory.dmp
memory/2748-31-0x00000000001B0000-0x00000000001E6000-memory.dmp
memory/2748-32-0x00000000002E0000-0x00000000002FC000-memory.dmp
memory/2748-35-0x0000000002E90000-0x0000000002F23000-memory.dmp
memory/2748-34-0x0000000002D60000-0x0000000002E8B000-memory.dmp
memory/2748-36-0x0000000002F30000-0x00000000030A7000-memory.dmp
memory/2748-33-0x0000000002BB0000-0x0000000002D5C000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-20 16:19
Reported
2023-12-22 11:13
Platform
win10v2004-20231215-en
Max time kernel
138s
Max time network
161s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\regsvr32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4504 wrote to memory of 1484 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 4504 wrote to memory of 1484 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 4504 wrote to memory of 1484 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\client\Accounting.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\client\Accounting.dll
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1484 -ip 1484
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1484 -s 780
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 16.53.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.179.89.13.in-addr.arpa | udp |
Files
memory/1484-0-0x0000000002CB0000-0x0000000003014000-memory.dmp
memory/1484-2-0x0000000003020000-0x00000000032FE000-memory.dmp
memory/1484-4-0x0000000003B50000-0x0000000003E63000-memory.dmp
memory/1484-6-0x00000000041F0000-0x000000000439C000-memory.dmp
memory/1484-8-0x00000000044D0000-0x0000000004563000-memory.dmp
memory/1484-9-0x0000000004570000-0x00000000045A6000-memory.dmp
memory/1484-7-0x00000000043A0000-0x00000000044CB000-memory.dmp
memory/1484-5-0x0000000004190000-0x00000000041EB000-memory.dmp
memory/1484-3-0x0000000002BE0000-0x0000000002C8E000-memory.dmp
memory/1484-1-0x00000000035E0000-0x00000000037A2000-memory.dmp
memory/1484-11-0x0000000003300000-0x0000000003477000-memory.dmp
memory/1484-10-0x00000000010D0000-0x00000000010EC000-memory.dmp
Analysis: behavioral12
Detonation Overview
Submitted
2023-12-20 16:19
Reported
2023-12-22 11:14
Platform
win10v2004-20231215-en
Max time kernel
145s
Max time network
153s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\regsvr32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 444 wrote to memory of 4996 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 444 wrote to memory of 4996 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 444 wrote to memory of 4996 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\client\Azk2DocFlow.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\client\Azk2DocFlow.dll
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 352 -p 4996 -ip 4996
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4996 -s 780
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 85.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
Files
memory/4996-0-0x0000000000310000-0x000000000034C000-memory.dmp
memory/4996-1-0x0000000002130000-0x0000000002494000-memory.dmp
memory/4996-3-0x00000000024A0000-0x00000000027B3000-memory.dmp
memory/4996-2-0x00000000027C0000-0x0000000002982000-memory.dmp
memory/4996-5-0x0000000002E80000-0x0000000002EDB000-memory.dmp
memory/4996-4-0x0000000002990000-0x0000000002A3E000-memory.dmp
memory/4996-6-0x0000000002BA0000-0x0000000002E7E000-memory.dmp
memory/4996-7-0x0000000002EE0000-0x000000000308C000-memory.dmp
memory/4996-8-0x0000000003240000-0x0000000003276000-memory.dmp
memory/4996-9-0x0000000003280000-0x00000000033AB000-memory.dmp
memory/4996-10-0x0000000000240000-0x000000000025C000-memory.dmp
Analysis: behavioral21
Detonation Overview
Submitted
2023-12-20 16:19
Reported
2023-12-22 11:14
Platform
win7-20231215-en
Max time kernel
141s
Max time network
123s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\regsvr32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\client\CapInvest.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\client\CapInvest.dll
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2436 -s 380
Network
Files
memory/2436-0-0x00000000004B0000-0x0000000000525000-memory.dmp
memory/2436-1-0x00000000025C0000-0x0000000002924000-memory.dmp
memory/2436-2-0x0000000002930000-0x0000000002C0E000-memory.dmp
memory/2436-3-0x00000000003B0000-0x000000000040B000-memory.dmp
memory/2436-4-0x0000000002C10000-0x0000000002F23000-memory.dmp
memory/2436-5-0x0000000001FD0000-0x0000000002192000-memory.dmp
memory/2436-9-0x0000000002F30000-0x00000000030DC000-memory.dmp
memory/2436-10-0x0000000000660000-0x000000000078B000-memory.dmp
memory/2436-8-0x00000000005E0000-0x00000000005FC000-memory.dmp
memory/2436-7-0x0000000000620000-0x0000000000656000-memory.dmp
memory/2436-6-0x0000000000530000-0x00000000005DE000-memory.dmp
memory/2436-11-0x00000000004B0000-0x0000000000525000-memory.dmp
memory/2436-12-0x0000000050050000-0x000000005064A000-memory.dmp
memory/2436-13-0x0000000050650000-0x0000000050A0E000-memory.dmp
memory/2436-14-0x00000000025C0000-0x0000000002924000-memory.dmp
memory/2436-15-0x0000000050CF0000-0x0000000050D8C000-memory.dmp
memory/2436-16-0x00000000513F0000-0x0000000051456000-memory.dmp
memory/2436-17-0x0000000002930000-0x0000000002C0E000-memory.dmp
memory/2436-18-0x0000000050D90000-0x0000000050FDE000-memory.dmp
memory/2436-20-0x0000000002C10000-0x0000000002F23000-memory.dmp
memory/2436-21-0x0000000051B90000-0x0000000051C4F000-memory.dmp
memory/2436-25-0x0000000051350000-0x00000000513A1000-memory.dmp
memory/2436-32-0x0000000000660000-0x000000000078B000-memory.dmp
memory/2436-31-0x0000000002F30000-0x00000000030DC000-memory.dmp
memory/2436-30-0x00000000005E0000-0x00000000005FC000-memory.dmp
memory/2436-29-0x0000000000620000-0x0000000000656000-memory.dmp
memory/2436-28-0x0000000000530000-0x00000000005DE000-memory.dmp
memory/2436-27-0x0000000051050000-0x00000000510B9000-memory.dmp
memory/2436-26-0x00000000510C0000-0x0000000051346000-memory.dmp
memory/2436-24-0x0000000001FD0000-0x0000000002192000-memory.dmp
memory/2436-23-0x0000000050A10000-0x0000000050A56000-memory.dmp
memory/2436-22-0x0000000050FE0000-0x0000000051027000-memory.dmp
memory/2436-19-0x00000000003B0000-0x000000000040B000-memory.dmp
Analysis: behavioral28
Detonation Overview
Submitted
2023-12-20 16:19
Reported
2023-12-22 11:16
Platform
win10v2004-20231215-en
Max time kernel
122s
Max time network
205s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\regsvr32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3868 wrote to memory of 2616 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 3868 wrote to memory of 2616 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 3868 wrote to memory of 2616 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\client\DocFlow.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\client\DocFlow.dll
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2616 -ip 2616
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2616 -s 808
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 81.171.91.138.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 34.197.79.40.in-addr.arpa | udp |
Files
memory/2616-0-0x0000000002E90000-0x00000000031F4000-memory.dmp
memory/2616-1-0x00000000037C0000-0x0000000003A9E000-memory.dmp
memory/2616-2-0x0000000003DC0000-0x00000000040D3000-memory.dmp
memory/2616-6-0x00000000014D0000-0x00000000014EC000-memory.dmp
memory/2616-4-0x0000000004480000-0x000000000452E000-memory.dmp
memory/2616-5-0x0000000004530000-0x000000000458B000-memory.dmp
memory/2616-3-0x00000000042B0000-0x0000000004472000-memory.dmp
memory/2616-7-0x0000000003200000-0x0000000003236000-memory.dmp
memory/2616-8-0x0000000000400000-0x00000000004D9000-memory.dmp
memory/2616-9-0x0000000050050000-0x000000005064A000-memory.dmp
memory/2616-10-0x0000000050650000-0x0000000050A0E000-memory.dmp
memory/2616-11-0x0000000050CF0000-0x0000000050D8C000-memory.dmp
memory/2616-12-0x00000000513F0000-0x0000000051456000-memory.dmp
memory/2616-14-0x0000000051350000-0x00000000513A1000-memory.dmp
memory/2616-16-0x0000000051050000-0x00000000510B9000-memory.dmp
memory/2616-17-0x0000000050D90000-0x0000000050FDE000-memory.dmp
memory/2616-15-0x00000000510C0000-0x0000000051346000-memory.dmp
memory/2616-13-0x0000000050A10000-0x0000000050A56000-memory.dmp
memory/2616-19-0x00000000037C0000-0x0000000003A9E000-memory.dmp
memory/2616-18-0x0000000002E90000-0x00000000031F4000-memory.dmp
memory/2616-20-0x0000000003DC0000-0x00000000040D3000-memory.dmp
memory/2616-21-0x00000000042B0000-0x0000000004472000-memory.dmp
memory/2616-23-0x0000000004530000-0x000000000458B000-memory.dmp
memory/2616-25-0x0000000051B90000-0x0000000051C4F000-memory.dmp
memory/2616-26-0x0000000050FE0000-0x0000000051027000-memory.dmp
memory/2616-27-0x0000000003200000-0x0000000003236000-memory.dmp
memory/2616-24-0x00000000014D0000-0x00000000014EC000-memory.dmp
memory/2616-22-0x0000000004480000-0x000000000452E000-memory.dmp
memory/2616-29-0x0000000050050000-0x000000005064A000-memory.dmp
memory/2616-59-0x00000000037C0000-0x0000000003A9E000-memory.dmp
memory/2616-60-0x0000000003DC0000-0x00000000040D3000-memory.dmp
memory/2616-61-0x00000000042B0000-0x0000000004472000-memory.dmp
memory/2616-63-0x0000000004530000-0x000000000458B000-memory.dmp
memory/2616-62-0x0000000004480000-0x000000000452E000-memory.dmp
memory/2616-64-0x00000000014D0000-0x00000000014EC000-memory.dmp
Analysis: behavioral29
Detonation Overview
Submitted
2023-12-20 16:19
Reported
2023-12-22 11:14
Platform
win7-20231215-en
Max time kernel
118s
Max time network
121s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2332 wrote to memory of 2028 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2332 wrote to memory of 2028 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2332 wrote to memory of 2028 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2332 wrote to memory of 2028 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2332 wrote to memory of 2028 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2332 wrote to memory of 2028 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2332 wrote to memory of 2028 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\client\Ehlib.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\client\Ehlib.dll,#1
Network
Files
memory/2028-0-0x0000000002340000-0x000000000261E000-memory.dmp
Analysis: behavioral22
Detonation Overview
Submitted
2023-12-20 16:19
Reported
2023-12-22 11:14
Platform
win10v2004-20231215-en
Max time kernel
117s
Max time network
155s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\regsvr32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4172 wrote to memory of 220 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 4172 wrote to memory of 220 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 4172 wrote to memory of 220 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\client\CapInvest.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\client\CapInvest.dll
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 220 -ip 220
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 220 -s 892
Network
| Country | Destination | Domain | Proto |
| US | 138.91.171.81:80 | tcp | |
| US | 8.8.8.8:53 | 147.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
Files
memory/220-0-0x00000000029A0000-0x0000000002D04000-memory.dmp
memory/220-2-0x0000000002EE0000-0x00000000031F3000-memory.dmp
memory/220-3-0x0000000002800000-0x00000000028AE000-memory.dmp
memory/220-5-0x0000000003200000-0x00000000034DE000-memory.dmp
memory/220-6-0x0000000003690000-0x000000000383C000-memory.dmp
memory/220-7-0x0000000002910000-0x0000000002946000-memory.dmp
memory/220-4-0x00000000028B0000-0x000000000290B000-memory.dmp
memory/220-9-0x0000000000FC0000-0x0000000000FDC000-memory.dmp
memory/220-8-0x0000000003840000-0x000000000396B000-memory.dmp
memory/220-1-0x0000000002D10000-0x0000000002ED2000-memory.dmp
Analysis: behavioral26
Detonation Overview
Submitted
2023-12-20 16:19
Reported
2023-12-22 11:16
Platform
win10v2004-20231215-en
Max time kernel
122s
Max time network
211s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\regsvr32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3404 wrote to memory of 3836 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 3404 wrote to memory of 3836 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 3404 wrote to memory of 3836 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\client\Credits.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\client\Credits.dll
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3836 -ip 3836
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3836 -s 780
Network
| Country | Destination | Domain | Proto |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 89.16.208.104.in-addr.arpa | udp |
Files
memory/3836-0-0x00000000029B0000-0x0000000002D14000-memory.dmp
memory/3836-1-0x0000000003000000-0x00000000032DE000-memory.dmp
memory/3836-2-0x00000000032E0000-0x00000000034A2000-memory.dmp
memory/3836-5-0x0000000003C50000-0x0000000003CAB000-memory.dmp
memory/3836-4-0x0000000003AF0000-0x0000000003B9E000-memory.dmp
memory/3836-3-0x00000000037D0000-0x0000000003AE3000-memory.dmp
memory/3836-7-0x0000000004010000-0x00000000041BC000-memory.dmp
memory/3836-8-0x00000000042F0000-0x0000000004326000-memory.dmp
memory/3836-6-0x00000000041C0000-0x00000000042EB000-memory.dmp
memory/3836-9-0x0000000000ED0000-0x0000000000EEC000-memory.dmp
memory/3836-10-0x0000000000400000-0x0000000000546000-memory.dmp
memory/3836-11-0x0000000050050000-0x000000005064A000-memory.dmp
memory/3836-12-0x0000000050650000-0x0000000050A0E000-memory.dmp
memory/3836-13-0x00000000513F0000-0x0000000051456000-memory.dmp
memory/3836-15-0x0000000050A10000-0x0000000050A56000-memory.dmp
memory/3836-18-0x00000000510C0000-0x0000000051346000-memory.dmp
memory/3836-17-0x0000000051350000-0x00000000513A1000-memory.dmp
memory/3836-19-0x0000000051050000-0x00000000510B9000-memory.dmp
memory/3836-16-0x0000000050D90000-0x0000000050FDE000-memory.dmp
memory/3836-14-0x0000000050CF0000-0x0000000050D8C000-memory.dmp
memory/3836-20-0x00000000029B0000-0x0000000002D14000-memory.dmp
memory/3836-21-0x0000000003000000-0x00000000032DE000-memory.dmp
memory/3836-23-0x00000000037D0000-0x0000000003AE3000-memory.dmp
memory/3836-22-0x00000000032E0000-0x00000000034A2000-memory.dmp
memory/3836-24-0x0000000003AF0000-0x0000000003B9E000-memory.dmp
memory/3836-25-0x0000000003C50000-0x0000000003CAB000-memory.dmp
memory/3836-26-0x0000000004010000-0x00000000041BC000-memory.dmp
memory/3836-28-0x00000000042F0000-0x0000000004326000-memory.dmp
memory/3836-30-0x0000000050FE0000-0x0000000051027000-memory.dmp
memory/3836-31-0x0000000000ED0000-0x0000000000EEC000-memory.dmp
memory/3836-29-0x0000000051B90000-0x0000000051C4F000-memory.dmp
memory/3836-27-0x00000000041C0000-0x00000000042EB000-memory.dmp
memory/3836-33-0x0000000050050000-0x000000005064A000-memory.dmp
memory/3836-42-0x00000000029B0000-0x0000000002D14000-memory.dmp
memory/3836-43-0x0000000003000000-0x00000000032DE000-memory.dmp
memory/3836-44-0x00000000032E0000-0x00000000034A2000-memory.dmp
memory/3836-45-0x00000000037D0000-0x0000000003AE3000-memory.dmp
memory/3836-46-0x0000000003AF0000-0x0000000003B9E000-memory.dmp
memory/3836-47-0x0000000003C50000-0x0000000003CAB000-memory.dmp
memory/3836-48-0x0000000004010000-0x00000000041BC000-memory.dmp
memory/3836-50-0x00000000042F0000-0x0000000004326000-memory.dmp
memory/3836-53-0x0000000000ED0000-0x0000000000EEC000-memory.dmp
memory/3836-54-0x0000000000400000-0x0000000000546000-memory.dmp
memory/3836-55-0x0000000050050000-0x000000005064A000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2023-12-20 16:19
Reported
2023-12-22 11:14
Platform
win7-20231129-en
Max time kernel
142s
Max time network
126s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\regsvr32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\client\Analysis.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\client\Analysis.dll
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3004 -s 380
Network
Files
memory/3004-0-0x0000000001F40000-0x0000000002012000-memory.dmp
memory/3004-1-0x0000000002500000-0x0000000002864000-memory.dmp
memory/3004-2-0x0000000002870000-0x0000000002B4E000-memory.dmp
memory/3004-3-0x00000000001C0000-0x000000000021B000-memory.dmp
memory/3004-4-0x0000000002B50000-0x0000000002E63000-memory.dmp
memory/3004-5-0x0000000002E70000-0x0000000003032000-memory.dmp
memory/3004-6-0x0000000000270000-0x000000000031E000-memory.dmp
memory/3004-8-0x0000000000190000-0x00000000001AC000-memory.dmp
memory/3004-9-0x0000000003040000-0x00000000031EC000-memory.dmp
memory/3004-7-0x0000000000330000-0x0000000000366000-memory.dmp
memory/3004-10-0x00000000031F0000-0x000000000331B000-memory.dmp
memory/3004-11-0x0000000000A70000-0x0000000000B03000-memory.dmp
memory/3004-13-0x0000000000370000-0x000000000038F000-memory.dmp
memory/3004-12-0x0000000003320000-0x0000000003497000-memory.dmp
memory/3004-14-0x0000000001F40000-0x0000000002012000-memory.dmp
memory/3004-16-0x0000000050650000-0x0000000050A0E000-memory.dmp
memory/3004-20-0x0000000002870000-0x0000000002B4E000-memory.dmp
memory/3004-19-0x00000000513F0000-0x0000000051456000-memory.dmp
memory/3004-18-0x0000000050CF0000-0x0000000050D8C000-memory.dmp
memory/3004-17-0x0000000002500000-0x0000000002864000-memory.dmp
memory/3004-15-0x0000000050050000-0x000000005064A000-memory.dmp
memory/3004-22-0x00000000001C0000-0x000000000021B000-memory.dmp
memory/3004-28-0x0000000051350000-0x00000000513A1000-memory.dmp
memory/3004-29-0x00000000510C0000-0x0000000051346000-memory.dmp
memory/3004-30-0x0000000051050000-0x00000000510B9000-memory.dmp
memory/3004-34-0x0000000003040000-0x00000000031EC000-memory.dmp
memory/3004-37-0x0000000003320000-0x0000000003497000-memory.dmp
memory/3004-36-0x0000000000A70000-0x0000000000B03000-memory.dmp
memory/3004-38-0x0000000000370000-0x000000000038F000-memory.dmp
memory/3004-35-0x00000000031F0000-0x000000000331B000-memory.dmp
memory/3004-33-0x0000000000190000-0x00000000001AC000-memory.dmp
memory/3004-32-0x0000000000330000-0x0000000000366000-memory.dmp
memory/3004-31-0x0000000000270000-0x000000000031E000-memory.dmp
memory/3004-27-0x0000000002E70000-0x0000000003032000-memory.dmp
memory/3004-26-0x0000000050A10000-0x0000000050A56000-memory.dmp
memory/3004-25-0x0000000050FE0000-0x0000000051027000-memory.dmp
memory/3004-24-0x0000000051B90000-0x0000000051C4F000-memory.dmp
memory/3004-23-0x0000000002B50000-0x0000000002E63000-memory.dmp
memory/3004-21-0x0000000050D90000-0x0000000050FDE000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2023-12-20 16:19
Reported
2023-12-22 11:13
Platform
win7-20231215-en
Max time kernel
118s
Max time network
129s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2360 wrote to memory of 2716 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2360 wrote to memory of 2716 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2360 wrote to memory of 2716 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2360 wrote to memory of 2716 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2360 wrote to memory of 2716 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2360 wrote to memory of 2716 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2360 wrote to memory of 2716 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\client\AnalysisPack.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\client\AnalysisPack.dll,#1
Network
Files
memory/2716-0-0x00000000001D0000-0x00000000001EF000-memory.dmp
memory/2716-1-0x00000000020A0000-0x000000000237E000-memory.dmp
memory/2716-2-0x0000000000260000-0x00000000002BB000-memory.dmp
memory/2716-3-0x0000000002380000-0x0000000002693000-memory.dmp
memory/2716-4-0x0000000000A00000-0x0000000000BC2000-memory.dmp
memory/2716-5-0x0000000000460000-0x000000000050E000-memory.dmp
memory/2716-6-0x00000000002C0000-0x00000000002F6000-memory.dmp
memory/2716-7-0x00000000026A0000-0x0000000002A04000-memory.dmp
memory/2716-8-0x00000000001F0000-0x000000000020C000-memory.dmp
Analysis: behavioral11
Detonation Overview
Submitted
2023-12-20 16:19
Reported
2023-12-22 11:14
Platform
win7-20231215-en
Max time kernel
141s
Max time network
122s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\regsvr32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\client\Azk2DocFlow.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\client\Azk2DocFlow.dll
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 380
Network
Files
memory/2324-0-0x00000000001F0000-0x000000000022C000-memory.dmp
memory/2324-1-0x0000000002270000-0x00000000025D4000-memory.dmp
memory/2324-2-0x00000000025E0000-0x00000000028BE000-memory.dmp
memory/2324-3-0x0000000000270000-0x00000000002CB000-memory.dmp
memory/2324-4-0x00000000028C0000-0x0000000002BD3000-memory.dmp
memory/2324-5-0x0000000002BE0000-0x0000000002DA2000-memory.dmp
memory/2324-6-0x0000000002DB0000-0x0000000002E5E000-memory.dmp
memory/2324-7-0x00000000002D0000-0x0000000000306000-memory.dmp
memory/2324-8-0x0000000000310000-0x000000000032C000-memory.dmp
memory/2324-9-0x0000000002E60000-0x000000000300C000-memory.dmp
memory/2324-10-0x0000000003010000-0x000000000313B000-memory.dmp
memory/2324-11-0x00000000001F0000-0x000000000022C000-memory.dmp
memory/2324-12-0x0000000050050000-0x000000005064A000-memory.dmp
memory/2324-17-0x00000000025E0000-0x00000000028BE000-memory.dmp
memory/2324-16-0x00000000513F0000-0x0000000051456000-memory.dmp
memory/2324-15-0x0000000050CF0000-0x0000000050D8C000-memory.dmp
memory/2324-14-0x0000000002270000-0x00000000025D4000-memory.dmp
memory/2324-13-0x0000000050650000-0x0000000050A0E000-memory.dmp
memory/2324-25-0x0000000051350000-0x00000000513A1000-memory.dmp
memory/2324-24-0x0000000002BE0000-0x0000000002DA2000-memory.dmp
memory/2324-23-0x0000000050A10000-0x0000000050A56000-memory.dmp
memory/2324-31-0x0000000002E60000-0x000000000300C000-memory.dmp
memory/2324-30-0x0000000000310000-0x000000000032C000-memory.dmp
memory/2324-32-0x0000000003010000-0x000000000313B000-memory.dmp
memory/2324-29-0x00000000002D0000-0x0000000000306000-memory.dmp
memory/2324-28-0x0000000002DB0000-0x0000000002E5E000-memory.dmp
memory/2324-27-0x0000000051050000-0x00000000510B9000-memory.dmp
memory/2324-26-0x00000000510C0000-0x0000000051346000-memory.dmp
memory/2324-22-0x0000000050FE0000-0x0000000051027000-memory.dmp
memory/2324-21-0x0000000051B90000-0x0000000051C4F000-memory.dmp
memory/2324-20-0x00000000028C0000-0x0000000002BD3000-memory.dmp
memory/2324-19-0x0000000000270000-0x00000000002CB000-memory.dmp
memory/2324-18-0x0000000050D90000-0x0000000050FDE000-memory.dmp
Analysis: behavioral15
Detonation Overview
Submitted
2023-12-20 16:19
Reported
2023-12-22 11:15
Platform
win7-20231215-en
Max time kernel
165s
Max time network
133s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\regsvr32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\client\Azk2Kernel.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\client\Azk2Kernel.dll
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2760 -s 384
Network
Files
memory/2760-0-0x0000000001FF0000-0x0000000002162000-memory.dmp
memory/2760-1-0x0000000002170000-0x00000000024D4000-memory.dmp
memory/2760-2-0x00000000024E0000-0x00000000027BE000-memory.dmp
memory/2760-3-0x0000000000210000-0x000000000026B000-memory.dmp
memory/2760-4-0x00000000027C0000-0x0000000002AD3000-memory.dmp
memory/2760-6-0x0000000001F00000-0x0000000001FAE000-memory.dmp
memory/2760-5-0x0000000002AE0000-0x0000000002CA2000-memory.dmp
memory/2760-8-0x00000000001B0000-0x00000000001CC000-memory.dmp
memory/2760-10-0x0000000000270000-0x000000000028A000-memory.dmp
memory/2760-11-0x00000000002D0000-0x0000000000325000-memory.dmp
memory/2760-12-0x0000000002E60000-0x0000000002F8B000-memory.dmp
memory/2760-9-0x0000000002CB0000-0x0000000002E5C000-memory.dmp
memory/2760-7-0x0000000000130000-0x0000000000166000-memory.dmp
memory/2760-13-0x0000000001FF0000-0x0000000002162000-memory.dmp
memory/2760-14-0x0000000050050000-0x000000005064A000-memory.dmp
memory/2760-16-0x0000000002170000-0x00000000024D4000-memory.dmp
memory/2760-17-0x0000000050CF0000-0x0000000050D8C000-memory.dmp
memory/2760-15-0x0000000050650000-0x0000000050A0E000-memory.dmp
memory/2760-18-0x00000000513F0000-0x0000000051456000-memory.dmp
memory/2760-19-0x00000000024E0000-0x00000000027BE000-memory.dmp
memory/2760-20-0x0000000050D90000-0x0000000050FDE000-memory.dmp
memory/2760-25-0x0000000050A10000-0x0000000050A56000-memory.dmp
memory/2760-24-0x0000000050FE0000-0x0000000051027000-memory.dmp
memory/2760-27-0x0000000051350000-0x00000000513A1000-memory.dmp
memory/2760-26-0x0000000002AE0000-0x0000000002CA2000-memory.dmp
memory/2760-28-0x00000000510C0000-0x0000000051346000-memory.dmp
memory/2760-23-0x0000000051B90000-0x0000000051C4F000-memory.dmp
memory/2760-22-0x00000000027C0000-0x0000000002AD3000-memory.dmp
memory/2760-21-0x0000000000210000-0x000000000026B000-memory.dmp
memory/2760-29-0x0000000051050000-0x00000000510B9000-memory.dmp
memory/2760-35-0x00000000002D0000-0x0000000000325000-memory.dmp
memory/2760-37-0x0000000002E60000-0x0000000002F8B000-memory.dmp
memory/2760-36-0x0000000021830000-0x00000000218A6000-memory.dmp
memory/2760-34-0x0000000000270000-0x000000000028A000-memory.dmp
memory/2760-33-0x0000000002CB0000-0x0000000002E5C000-memory.dmp
memory/2760-32-0x00000000001B0000-0x00000000001CC000-memory.dmp
memory/2760-31-0x0000000000130000-0x0000000000166000-memory.dmp
memory/2760-30-0x0000000001F00000-0x0000000001FAE000-memory.dmp
Analysis: behavioral18
Detonation Overview
Submitted
2023-12-20 16:19
Reported
2023-12-22 11:16
Platform
win10v2004-20231215-en
Max time kernel
135s
Max time network
199s
Command Line
Signatures
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CCBF8FB1-0BE1-4C76-8142-CCBFCFF12570}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{843E098B-5D52-45EF-954D-23140B414ADD}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\client\\BFTLib.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{13F3B907-5464-48C4-B646-34073B18632F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{244636BF-CD77-4AE0-9615-92B526B9EA1E}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{244636BF-CD77-4AE0-9615-92B526B9EA1E}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\BFTLib.BFTSignedData | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{843E098B-5D52-45EF-954D-23140B414ADD}\Version\ = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{843E098B-5D52-45EF-954D-23140B414ADD}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{13F3B907-5464-48C4-B646-34073B18632F}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D5A40E8F-D442-4107-B691-F49E732E2E7E}\1.0\0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{13F3B907-5464-48C4-B646-34073B18632F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{244636BF-CD77-4AE0-9615-92B526B9EA1E}\ProgID\ = "BFTLib.SimpleSigner" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D5A40E8F-D442-4107-B691-F49E732E2E7E}\1.0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{244636BF-CD77-4AE0-9615-92B526B9EA1E}\Version\ = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CCBF8FB1-0BE1-4C76-8142-CCBFCFF12570}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\BFTLib.SimpleSigner\Clsid | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{244636BF-CD77-4AE0-9615-92B526B9EA1E}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{843E098B-5D52-45EF-954D-23140B414ADD}\ProgID\ = "BFTLib.BFTSignedData" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D5A40E8F-D442-4107-B691-F49E732E2E7E}\1.0\ = "BFT Library" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{13F3B907-5464-48C4-B646-34073B18632F}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CCBF8FB1-0BE1-4C76-8142-CCBFCFF12570}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{13F3B907-5464-48C4-B646-34073B18632F}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{13F3B907-5464-48C4-B646-34073B18632F} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{13F3B907-5464-48C4-B646-34073B18632F}\ = "IBFTSignedData" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CCBF8FB1-0BE1-4C76-8142-CCBFCFF12570}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CCBF8FB1-0BE1-4C76-8142-CCBFCFF12570}\ = "ISimpleSigner" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{244636BF-CD77-4AE0-9615-92B526B9EA1E}\ = "SimpleSigner" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{244636BF-CD77-4AE0-9615-92B526B9EA1E}\Version | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{843E098B-5D52-45EF-954D-23140B414ADD}\ = "BFTSignedData" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D5A40E8F-D442-4107-B691-F49E732E2E7E}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\client\\" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{843E098B-5D52-45EF-954D-23140B414ADD}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{13F3B907-5464-48C4-B646-34073B18632F}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{13F3B907-5464-48C4-B646-34073B18632F}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{13F3B907-5464-48C4-B646-34073B18632F}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\BFTLib.BFTSignedData\ = "BFTSignedData" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\BFTLib.BFTSignedData\Clsid\ = "{843E098B-5D52-45EF-954D-23140B414ADD}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D5A40E8F-D442-4107-B691-F49E732E2E7E}\1.0\0\win32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D5A40E8F-D442-4107-B691-F49E732E2E7E}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\client\\BFTLib.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CCBF8FB1-0BE1-4C76-8142-CCBFCFF12570}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{244636BF-CD77-4AE0-9615-92B526B9EA1E} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\BFTLib.SimpleSigner\Clsid\ = "{244636BF-CD77-4AE0-9615-92B526B9EA1E}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D5A40E8F-D442-4107-B691-F49E732E2E7E}\1.0\FLAGS | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{843E098B-5D52-45EF-954D-23140B414ADD} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{843E098B-5D52-45EF-954D-23140B414ADD}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D5A40E8F-D442-4107-B691-F49E732E2E7E} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CCBF8FB1-0BE1-4C76-8142-CCBFCFF12570}\TypeLib\ = "{D5A40E8F-D442-4107-B691-F49E732E2E7E}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\BFTLib.SimpleSigner | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{843E098B-5D52-45EF-954D-23140B414ADD}\Version | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{13F3B907-5464-48C4-B646-34073B18632F} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CCBF8FB1-0BE1-4C76-8142-CCBFCFF12570} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{244636BF-CD77-4AE0-9615-92B526B9EA1E}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\client\\BFTLib.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D5A40E8F-D442-4107-B691-F49E732E2E7E}\1.0\HELPDIR | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{13F3B907-5464-48C4-B646-34073B18632F}\TypeLib\ = "{D5A40E8F-D442-4107-B691-F49E732E2E7E}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CCBF8FB1-0BE1-4C76-8142-CCBFCFF12570}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{13F3B907-5464-48C4-B646-34073B18632F}\ = "IBFTSignedData" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\BFTLib.SimpleSigner\ = "SimpleSigner" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{244636BF-CD77-4AE0-9615-92B526B9EA1E}\TypeLib\ = "{D5A40E8F-D442-4107-B691-F49E732E2E7E}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{843E098B-5D52-45EF-954D-23140B414ADD}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\BFTLib.BFTSignedData\Clsid | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CCBF8FB1-0BE1-4C76-8142-CCBFCFF12570}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CCBF8FB1-0BE1-4C76-8142-CCBFCFF12570}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CCBF8FB1-0BE1-4C76-8142-CCBFCFF12570}\ = "ISimpleSigner" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{13F3B907-5464-48C4-B646-34073B18632F}\TypeLib\ = "{D5A40E8F-D442-4107-B691-F49E732E2E7E}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CCBF8FB1-0BE1-4C76-8142-CCBFCFF12570} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4780 wrote to memory of 1800 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 4780 wrote to memory of 1800 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 4780 wrote to memory of 1800 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\client\BFTLib.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\client\BFTLib.dll
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.53.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 92.123.241.137:80 | www.microsoft.com | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 137.241.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.173.189.20.in-addr.arpa | udp |
Files
memory/1800-0-0x0000000002640000-0x0000000002802000-memory.dmp
memory/1800-2-0x0000000002810000-0x0000000002B23000-memory.dmp
memory/1800-1-0x0000000002B30000-0x0000000002BDE000-memory.dmp
memory/1800-3-0x0000000003480000-0x00000000037E4000-memory.dmp
memory/1800-4-0x00000000031A0000-0x000000000347E000-memory.dmp
memory/1800-5-0x0000000003AD0000-0x0000000003B2B000-memory.dmp
memory/1800-6-0x0000000002BE0000-0x0000000002C16000-memory.dmp
memory/1800-7-0x0000000000D50000-0x0000000000D6C000-memory.dmp
memory/1800-8-0x0000000000400000-0x0000000000476000-memory.dmp
memory/1800-9-0x0000000050050000-0x000000005064A000-memory.dmp
memory/1800-10-0x0000000050650000-0x0000000050A0E000-memory.dmp
memory/1800-11-0x0000000050D90000-0x0000000050FDE000-memory.dmp
memory/1800-12-0x0000000050CF0000-0x0000000050D8C000-memory.dmp
memory/1800-13-0x00000000513F0000-0x0000000051456000-memory.dmp
memory/1800-14-0x0000000051350000-0x00000000513A1000-memory.dmp
memory/1800-15-0x00000000510C0000-0x0000000051346000-memory.dmp
memory/1800-16-0x0000000050A10000-0x0000000050A56000-memory.dmp
memory/1800-17-0x0000000051050000-0x00000000510B9000-memory.dmp
memory/1800-18-0x0000000002640000-0x0000000002802000-memory.dmp
memory/1800-19-0x0000000002810000-0x0000000002B23000-memory.dmp
memory/1800-22-0x0000000003480000-0x00000000037E4000-memory.dmp
memory/1800-21-0x00000000031A0000-0x000000000347E000-memory.dmp
memory/1800-24-0x0000000051B90000-0x0000000051C4F000-memory.dmp
memory/1800-26-0x0000000002BE0000-0x0000000002C16000-memory.dmp
memory/1800-25-0x0000000050FE0000-0x0000000051027000-memory.dmp
memory/1800-27-0x0000000000D50000-0x0000000000D6C000-memory.dmp
memory/1800-23-0x0000000003AD0000-0x0000000003B2B000-memory.dmp
memory/1800-20-0x0000000002B30000-0x0000000002BDE000-memory.dmp
memory/1800-51-0x0000000050D90000-0x0000000050FDE000-memory.dmp
memory/1800-52-0x0000000050CF0000-0x0000000050D8C000-memory.dmp
memory/1800-53-0x00000000513F0000-0x0000000051456000-memory.dmp
Analysis: behavioral8
Detonation Overview
Submitted
2023-12-20 16:19
Reported
2023-12-22 11:14
Platform
win10v2004-20231215-en
Max time kernel
129s
Max time network
163s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\regsvr32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1964 wrote to memory of 3392 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1964 wrote to memory of 3392 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1964 wrote to memory of 3392 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\client\Asset.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\client\Asset.dll
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3392 -ip 3392
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3392 -s 972
Network
| Country | Destination | Domain | Proto |
| US | 138.91.171.81:80 | tcp | |
| US | 8.8.8.8:53 | 148.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 178.223.142.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 130.109.69.13.in-addr.arpa | udp |
Files
memory/3392-0-0x00000000024C0000-0x0000000002824000-memory.dmp
memory/3392-2-0x0000000002830000-0x0000000002B0E000-memory.dmp
memory/3392-7-0x0000000003000000-0x00000000031AC000-memory.dmp
memory/3392-6-0x0000000003360000-0x0000000003396000-memory.dmp
memory/3392-5-0x0000000000CB0000-0x0000000000D0B000-memory.dmp
memory/3392-4-0x0000000000BF0000-0x0000000000C9E000-memory.dmp
memory/3392-3-0x0000000002B10000-0x0000000002E23000-memory.dmp
memory/3392-1-0x0000000002E30000-0x0000000002FF2000-memory.dmp
memory/3392-8-0x0000000000960000-0x000000000097C000-memory.dmp
memory/3392-9-0x0000000000400000-0x000000000046D000-memory.dmp
memory/3392-10-0x0000000050050000-0x000000005064A000-memory.dmp
memory/3392-11-0x0000000050650000-0x0000000050A0E000-memory.dmp
memory/3392-12-0x0000000050CF0000-0x0000000050D8C000-memory.dmp
memory/3392-13-0x00000000513F0000-0x0000000051456000-memory.dmp
memory/3392-14-0x0000000050A10000-0x0000000050A56000-memory.dmp
memory/3392-15-0x0000000051350000-0x00000000513A1000-memory.dmp
memory/3392-16-0x00000000510C0000-0x0000000051346000-memory.dmp
memory/3392-17-0x0000000051050000-0x00000000510B9000-memory.dmp
memory/3392-18-0x0000000050D90000-0x0000000050FDE000-memory.dmp
memory/3392-19-0x00000000024C0000-0x0000000002824000-memory.dmp
memory/3392-20-0x0000000002830000-0x0000000002B0E000-memory.dmp
memory/3392-21-0x0000000002E30000-0x0000000002FF2000-memory.dmp
memory/3392-22-0x0000000002B10000-0x0000000002E23000-memory.dmp
memory/3392-23-0x0000000000BF0000-0x0000000000C9E000-memory.dmp
memory/3392-25-0x0000000003000000-0x00000000031AC000-memory.dmp
memory/3392-24-0x0000000000CB0000-0x0000000000D0B000-memory.dmp
memory/3392-26-0x0000000003360000-0x0000000003396000-memory.dmp
memory/3392-27-0x0000000051B90000-0x0000000051C4F000-memory.dmp
memory/3392-29-0x0000000000960000-0x000000000097C000-memory.dmp
memory/3392-28-0x0000000050FE0000-0x0000000051027000-memory.dmp
Analysis: behavioral23
Detonation Overview
Submitted
2023-12-20 16:19
Reported
2023-12-22 11:16
Platform
win7-20231215-en
Max time kernel
46s
Max time network
48s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2596 wrote to memory of 2592 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2596 wrote to memory of 2592 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2596 wrote to memory of 2592 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2596 wrote to memory of 2592 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2596 wrote to memory of 2592 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2596 wrote to memory of 2592 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2596 wrote to memory of 2592 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\client\ClientPack.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\client\ClientPack.dll,#1
Network
Files
memory/2592-0-0x0000000001F80000-0x00000000022E4000-memory.dmp
memory/2592-1-0x00000000022F0000-0x00000000025CE000-memory.dmp
memory/2592-2-0x0000000000160000-0x00000000001BB000-memory.dmp
memory/2592-3-0x00000000025D0000-0x00000000028E3000-memory.dmp
memory/2592-4-0x00000000028F0000-0x0000000002AB2000-memory.dmp
memory/2592-5-0x0000000000280000-0x000000000032E000-memory.dmp
memory/2592-6-0x0000000000470000-0x00000000004A6000-memory.dmp
memory/2592-7-0x0000000000340000-0x000000000035C000-memory.dmp
Analysis: behavioral25
Detonation Overview
Submitted
2023-12-20 16:19
Reported
2023-12-22 11:15
Platform
win7-20231215-en
Max time kernel
160s
Max time network
127s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\regsvr32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\client\Credits.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\client\Credits.dll
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2420 -s 384
Network
Files
memory/2420-0-0x0000000001EF0000-0x0000000002036000-memory.dmp
memory/2420-1-0x00000000020E0000-0x0000000002444000-memory.dmp
memory/2420-2-0x0000000002450000-0x000000000272E000-memory.dmp
memory/2420-3-0x0000000000170000-0x00000000001CB000-memory.dmp
memory/2420-4-0x0000000002730000-0x0000000002A43000-memory.dmp
memory/2420-5-0x0000000002A50000-0x0000000002C12000-memory.dmp
memory/2420-6-0x0000000000220000-0x00000000002CE000-memory.dmp
memory/2420-7-0x0000000000590000-0x00000000005C6000-memory.dmp
memory/2420-9-0x0000000002C20000-0x0000000002DCC000-memory.dmp
memory/2420-8-0x00000000002D0000-0x00000000002EC000-memory.dmp
memory/2420-10-0x0000000002DD0000-0x0000000002EFB000-memory.dmp
memory/2420-11-0x0000000001EF0000-0x0000000002036000-memory.dmp
memory/2420-12-0x0000000050050000-0x000000005064A000-memory.dmp
memory/2420-13-0x0000000050650000-0x0000000050A0E000-memory.dmp
memory/2420-14-0x00000000020E0000-0x0000000002444000-memory.dmp
memory/2420-15-0x0000000050CF0000-0x0000000050D8C000-memory.dmp
memory/2420-16-0x00000000513F0000-0x0000000051456000-memory.dmp
memory/2420-17-0x0000000002450000-0x000000000272E000-memory.dmp
memory/2420-18-0x0000000050D90000-0x0000000050FDE000-memory.dmp
memory/2420-19-0x0000000000170000-0x00000000001CB000-memory.dmp
memory/2420-23-0x0000000050A10000-0x0000000050A56000-memory.dmp
memory/2420-22-0x0000000050FE0000-0x0000000051027000-memory.dmp
memory/2420-27-0x0000000051050000-0x00000000510B9000-memory.dmp
memory/2420-29-0x0000000000590000-0x00000000005C6000-memory.dmp
memory/2420-31-0x0000000002C20000-0x0000000002DCC000-memory.dmp
memory/2420-30-0x00000000002D0000-0x00000000002EC000-memory.dmp
memory/2420-28-0x0000000000220000-0x00000000002CE000-memory.dmp
memory/2420-26-0x00000000510C0000-0x0000000051346000-memory.dmp
memory/2420-25-0x0000000051350000-0x00000000513A1000-memory.dmp
memory/2420-24-0x0000000002A50000-0x0000000002C12000-memory.dmp
memory/2420-21-0x0000000051B90000-0x0000000051C4F000-memory.dmp
memory/2420-20-0x0000000002730000-0x0000000002A43000-memory.dmp
memory/2420-32-0x0000000002DD0000-0x0000000002EFB000-memory.dmp
Analysis: behavioral16
Detonation Overview
Submitted
2023-12-20 16:19
Reported
2023-12-22 11:16
Platform
win10v2004-20231215-en
Max time kernel
135s
Max time network
199s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\regsvr32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2608 wrote to memory of 2904 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2608 wrote to memory of 2904 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2608 wrote to memory of 2904 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\client\Azk2Kernel.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\client\Azk2Kernel.dll
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2904 -ip 2904
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2904 -s 780
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 23.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.173.189.20.in-addr.arpa | udp |
Files
memory/2904-1-0x0000000002ED0000-0x0000000003092000-memory.dmp
memory/2904-0-0x0000000002880000-0x0000000002BE4000-memory.dmp
memory/2904-4-0x0000000003270000-0x0000000003583000-memory.dmp
memory/2904-3-0x0000000003590000-0x000000000363E000-memory.dmp
memory/2904-5-0x0000000003640000-0x000000000369B000-memory.dmp
memory/2904-2-0x0000000002BF0000-0x0000000002ECE000-memory.dmp
memory/2904-6-0x0000000000E50000-0x0000000000E6A000-memory.dmp
memory/2904-7-0x0000000003850000-0x00000000039FC000-memory.dmp
memory/2904-8-0x0000000003BB0000-0x0000000003C05000-memory.dmp
memory/2904-9-0x0000000003C10000-0x0000000003C46000-memory.dmp
memory/2904-10-0x0000000003C50000-0x0000000003D7B000-memory.dmp
memory/2904-11-0x0000000001000000-0x000000000101C000-memory.dmp
memory/2904-12-0x0000000000400000-0x0000000000572000-memory.dmp
memory/2904-13-0x0000000050050000-0x000000005064A000-memory.dmp
memory/2904-14-0x0000000050650000-0x0000000050A0E000-memory.dmp
memory/2904-15-0x00000000513F0000-0x0000000051456000-memory.dmp
memory/2904-16-0x0000000050D90000-0x0000000050FDE000-memory.dmp
memory/2904-18-0x0000000050A10000-0x0000000050A56000-memory.dmp
memory/2904-17-0x0000000050CF0000-0x0000000050D8C000-memory.dmp
memory/2904-19-0x0000000051350000-0x00000000513A1000-memory.dmp
memory/2904-20-0x00000000510C0000-0x0000000051346000-memory.dmp
memory/2904-22-0x0000000021830000-0x00000000218A6000-memory.dmp
memory/2904-21-0x0000000051050000-0x00000000510B9000-memory.dmp
memory/2904-23-0x0000000002880000-0x0000000002BE4000-memory.dmp
memory/2904-24-0x0000000002BF0000-0x0000000002ECE000-memory.dmp
memory/2904-25-0x0000000002ED0000-0x0000000003092000-memory.dmp
memory/2904-26-0x0000000003270000-0x0000000003583000-memory.dmp
memory/2904-29-0x0000000003850000-0x00000000039FC000-memory.dmp
memory/2904-28-0x0000000003640000-0x000000000369B000-memory.dmp
memory/2904-30-0x0000000000E50000-0x0000000000E6A000-memory.dmp
memory/2904-27-0x0000000003590000-0x000000000363E000-memory.dmp
memory/2904-31-0x0000000003BB0000-0x0000000003C05000-memory.dmp
memory/2904-32-0x0000000003C50000-0x0000000003D7B000-memory.dmp
memory/2904-34-0x0000000051B90000-0x0000000051C4F000-memory.dmp
memory/2904-33-0x0000000003C10000-0x0000000003C46000-memory.dmp
memory/2904-35-0x0000000050FE0000-0x0000000051027000-memory.dmp
memory/2904-36-0x0000000001000000-0x000000000101C000-memory.dmp
Analysis: behavioral31
Detonation Overview
Submitted
2023-12-20 16:19
Reported
2023-12-22 11:14
Platform
win7-20231215-en
Max time kernel
146s
Max time network
131s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\regsvr32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\client\Expense.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\client\Expense.dll
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1104 -s 384
Network
Files
memory/1104-0-0x0000000001F30000-0x0000000002A51000-memory.dmp
memory/1104-2-0x0000000002A60000-0x0000000002DC4000-memory.dmp
memory/1104-3-0x0000000002DD0000-0x00000000030AE000-memory.dmp
memory/1104-4-0x0000000000890000-0x00000000008EB000-memory.dmp
memory/1104-5-0x00000000030B0000-0x00000000033C3000-memory.dmp
memory/1104-6-0x00000000033D0000-0x0000000003592000-memory.dmp
memory/1104-7-0x00000000008F0000-0x000000000099E000-memory.dmp
memory/1104-8-0x00000000009A0000-0x00000000009D6000-memory.dmp
memory/1104-9-0x0000000000170000-0x000000000018C000-memory.dmp
memory/1104-10-0x00000000035A0000-0x000000000374C000-memory.dmp
memory/1104-11-0x0000000003750000-0x000000000387B000-memory.dmp
memory/1104-12-0x0000000001F30000-0x0000000002A51000-memory.dmp
memory/1104-13-0x0000000050050000-0x000000005064A000-memory.dmp
memory/1104-14-0x0000000050650000-0x0000000050A0E000-memory.dmp
memory/1104-15-0x0000000002A60000-0x0000000002DC4000-memory.dmp
memory/1104-16-0x0000000050CF0000-0x0000000050D8C000-memory.dmp
memory/1104-17-0x00000000513F0000-0x0000000051456000-memory.dmp
memory/1104-18-0x0000000002DD0000-0x00000000030AE000-memory.dmp
memory/1104-19-0x0000000050D90000-0x0000000050FDE000-memory.dmp
memory/1104-20-0x0000000000890000-0x00000000008EB000-memory.dmp
memory/1104-21-0x00000000030B0000-0x00000000033C3000-memory.dmp
memory/1104-22-0x0000000051B90000-0x0000000051C4F000-memory.dmp
memory/1104-23-0x0000000050FE0000-0x0000000051027000-memory.dmp
memory/1104-24-0x0000000050A10000-0x0000000050A56000-memory.dmp
memory/1104-25-0x00000000033D0000-0x0000000003592000-memory.dmp
memory/1104-26-0x0000000051350000-0x00000000513A1000-memory.dmp
memory/1104-27-0x00000000510C0000-0x0000000051346000-memory.dmp
memory/1104-28-0x0000000051050000-0x00000000510B9000-memory.dmp
memory/1104-29-0x00000000008F0000-0x000000000099E000-memory.dmp
memory/1104-30-0x00000000009A0000-0x00000000009D6000-memory.dmp
memory/1104-31-0x0000000000170000-0x000000000018C000-memory.dmp
memory/1104-32-0x00000000035A0000-0x000000000374C000-memory.dmp
memory/1104-33-0x0000000003750000-0x000000000387B000-memory.dmp
Analysis: behavioral19
Detonation Overview
Submitted
2023-12-20 16:19
Reported
2023-12-22 11:14
Platform
win7-20231215-en
Max time kernel
122s
Max time network
133s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\client\BftCryptoApiAdapter32.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\client\BftCryptoApiAdapter32.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2512 -s 224
Network
Files
Analysis: behavioral6
Detonation Overview
Submitted
2023-12-20 16:19
Reported
2023-12-22 11:14
Platform
win10v2004-20231215-en
Max time kernel
133s
Max time network
152s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 440 wrote to memory of 4792 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 440 wrote to memory of 4792 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 440 wrote to memory of 4792 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\client\AnalysisPack.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\client\AnalysisPack.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 138.91.171.81:80 | tcp | |
| US | 8.8.8.8:53 | 23.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
Files
memory/4792-0-0x0000000002660000-0x000000000293E000-memory.dmp
memory/4792-3-0x0000000003150000-0x00000000031FE000-memory.dmp
memory/4792-2-0x0000000002F80000-0x0000000003142000-memory.dmp
memory/4792-4-0x0000000003200000-0x000000000325B000-memory.dmp
memory/4792-1-0x0000000002C60000-0x0000000002F73000-memory.dmp
memory/4792-5-0x0000000003260000-0x00000000035C4000-memory.dmp
memory/4792-7-0x0000000000E60000-0x0000000000E7C000-memory.dmp
memory/4792-6-0x0000000002940000-0x0000000002976000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2023-12-20 16:19
Reported
2023-12-22 11:15
Platform
win7-20231215-en
Max time kernel
150s
Max time network
41s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\regsvr32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\client\Asset.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\client\Asset.dll
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2736 -s 384
Network
Files
memory/2736-0-0x0000000001F10000-0x0000000002274000-memory.dmp
memory/2736-1-0x0000000002280000-0x000000000255E000-memory.dmp
memory/2736-2-0x00000000007D0000-0x000000000082B000-memory.dmp
memory/2736-3-0x0000000002560000-0x0000000002873000-memory.dmp
memory/2736-4-0x0000000002880000-0x0000000002A42000-memory.dmp
memory/2736-5-0x0000000002A50000-0x0000000002AFE000-memory.dmp
memory/2736-6-0x00000000001E0000-0x0000000000216000-memory.dmp
memory/2736-7-0x0000000000170000-0x000000000018C000-memory.dmp
memory/2736-8-0x0000000002B00000-0x0000000002CAC000-memory.dmp
memory/2736-9-0x0000000000400000-0x000000000046D000-memory.dmp
memory/2736-10-0x0000000050050000-0x000000005064A000-memory.dmp
memory/2736-11-0x0000000050650000-0x0000000050A0E000-memory.dmp
memory/2736-12-0x0000000001F10000-0x0000000002274000-memory.dmp
memory/2736-13-0x0000000050CF0000-0x0000000050D8C000-memory.dmp
memory/2736-14-0x00000000513F0000-0x0000000051456000-memory.dmp
memory/2736-15-0x0000000002280000-0x000000000255E000-memory.dmp
memory/2736-16-0x0000000050D90000-0x0000000050FDE000-memory.dmp
memory/2736-17-0x00000000007D0000-0x000000000082B000-memory.dmp
memory/2736-18-0x0000000002560000-0x0000000002873000-memory.dmp
memory/2736-19-0x0000000051B90000-0x0000000051C4F000-memory.dmp
memory/2736-20-0x0000000050FE0000-0x0000000051027000-memory.dmp
memory/2736-21-0x0000000050A10000-0x0000000050A56000-memory.dmp
memory/2736-22-0x0000000002880000-0x0000000002A42000-memory.dmp
memory/2736-23-0x0000000051350000-0x00000000513A1000-memory.dmp
memory/2736-24-0x00000000510C0000-0x0000000051346000-memory.dmp
memory/2736-25-0x0000000051050000-0x00000000510B9000-memory.dmp
memory/2736-26-0x0000000002A50000-0x0000000002AFE000-memory.dmp
memory/2736-27-0x00000000001E0000-0x0000000000216000-memory.dmp
memory/2736-28-0x0000000000170000-0x000000000018C000-memory.dmp
memory/2736-29-0x0000000002B00000-0x0000000002CAC000-memory.dmp
Analysis: behavioral17
Detonation Overview
Submitted
2023-12-20 16:19
Reported
2023-12-22 11:15
Platform
win7-20231215-en
Max time kernel
118s
Max time network
126s
Command Line
Signatures
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D5A40E8F-D442-4107-B691-F49E732E2E7E}\1.0\FLAGS\ = "0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{13F3B907-5464-48C4-B646-34073B18632F}\ = "IBFTSignedData" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CCBF8FB1-0BE1-4C76-8142-CCBFCFF12570}\TypeLib\ = "{D5A40E8F-D442-4107-B691-F49E732E2E7E}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D5A40E8F-D442-4107-B691-F49E732E2E7E}\1.0\HELPDIR | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CCBF8FB1-0BE1-4C76-8142-CCBFCFF12570} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\BFTLib.SimpleSigner\Clsid\ = "{244636BF-CD77-4AE0-9615-92B526B9EA1E}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{843E098B-5D52-45EF-954D-23140B414ADD}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CCBF8FB1-0BE1-4C76-8142-CCBFCFF12570}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{244636BF-CD77-4AE0-9615-92B526B9EA1E}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{13F3B907-5464-48C4-B646-34073B18632F}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\BFTLib.SimpleSigner | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\BFTLib.BFTSignedData\Clsid\ = "{843E098B-5D52-45EF-954D-23140B414ADD}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{13F3B907-5464-48C4-B646-34073B18632F}\TypeLib\ = "{D5A40E8F-D442-4107-B691-F49E732E2E7E}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{13F3B907-5464-48C4-B646-34073B18632F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{13F3B907-5464-48C4-B646-34073B18632F}\TypeLib\ = "{D5A40E8F-D442-4107-B691-F49E732E2E7E}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CCBF8FB1-0BE1-4C76-8142-CCBFCFF12570}\ = "ISimpleSigner" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{843E098B-5D52-45EF-954D-23140B414ADD} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{843E098B-5D52-45EF-954D-23140B414ADD}\ = "BFTSignedData" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{13F3B907-5464-48C4-B646-34073B18632F}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{244636BF-CD77-4AE0-9615-92B526B9EA1E}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\client\\BFTLib.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\BFTLib.BFTSignedData\Clsid | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CCBF8FB1-0BE1-4C76-8142-CCBFCFF12570}\ = "ISimpleSigner" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{843E098B-5D52-45EF-954D-23140B414ADD}\ProgID\ = "BFTLib.BFTSignedData" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{843E098B-5D52-45EF-954D-23140B414ADD}\Version | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{843E098B-5D52-45EF-954D-23140B414ADD}\Version\ = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D5A40E8F-D442-4107-B691-F49E732E2E7E}\1.0\FLAGS | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CCBF8FB1-0BE1-4C76-8142-CCBFCFF12570}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{244636BF-CD77-4AE0-9615-92B526B9EA1E}\Version | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\BFTLib.BFTSignedData | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D5A40E8F-D442-4107-B691-F49E732E2E7E} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CCBF8FB1-0BE1-4C76-8142-CCBFCFF12570}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CCBF8FB1-0BE1-4C76-8142-CCBFCFF12570}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{244636BF-CD77-4AE0-9615-92B526B9EA1E}\TypeLib\ = "{D5A40E8F-D442-4107-B691-F49E732E2E7E}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{843E098B-5D52-45EF-954D-23140B414ADD}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\client\\BFTLib.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D5A40E8F-D442-4107-B691-F49E732E2E7E}\1.0\0\win32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{13F3B907-5464-48C4-B646-34073B18632F}\ = "IBFTSignedData" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{13F3B907-5464-48C4-B646-34073B18632F}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{13F3B907-5464-48C4-B646-34073B18632F}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{244636BF-CD77-4AE0-9615-92B526B9EA1E}\ = "SimpleSigner" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{244636BF-CD77-4AE0-9615-92B526B9EA1E}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{843E098B-5D52-45EF-954D-23140B414ADD}\TypeLib\ = "{D5A40E8F-D442-4107-B691-F49E732E2E7E}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{244636BF-CD77-4AE0-9615-92B526B9EA1E}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D5A40E8F-D442-4107-B691-F49E732E2E7E}\1.0\0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D5A40E8F-D442-4107-B691-F49E732E2E7E}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\client\\" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CCBF8FB1-0BE1-4C76-8142-CCBFCFF12570}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CCBF8FB1-0BE1-4C76-8142-CCBFCFF12570}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CCBF8FB1-0BE1-4C76-8142-CCBFCFF12570}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{244636BF-CD77-4AE0-9615-92B526B9EA1E} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{13F3B907-5464-48C4-B646-34073B18632F} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\BFTLib.SimpleSigner\ = "SimpleSigner" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{244636BF-CD77-4AE0-9615-92B526B9EA1E}\Version\ = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\BFTLib.BFTSignedData\ = "BFTSignedData" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D5A40E8F-D442-4107-B691-F49E732E2E7E}\1.0\ = "BFT Library" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{244636BF-CD77-4AE0-9615-92B526B9EA1E}\ProgID\ = "BFTLib.SimpleSigner" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{13F3B907-5464-48C4-B646-34073B18632F}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CCBF8FB1-0BE1-4C76-8142-CCBFCFF12570}\TypeLib\ = "{D5A40E8F-D442-4107-B691-F49E732E2E7E}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\BFTLib.SimpleSigner\Clsid | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{244636BF-CD77-4AE0-9615-92B526B9EA1E}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{13F3B907-5464-48C4-B646-34073B18632F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CCBF8FB1-0BE1-4C76-8142-CCBFCFF12570} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{843E098B-5D52-45EF-954D-23140B414ADD}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{843E098B-5D52-45EF-954D-23140B414ADD}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{843E098B-5D52-45EF-954D-23140B414ADD}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D5A40E8F-D442-4107-B691-F49E732E2E7E}\1.0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2740 wrote to memory of 2224 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2740 wrote to memory of 2224 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2740 wrote to memory of 2224 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2740 wrote to memory of 2224 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2740 wrote to memory of 2224 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2740 wrote to memory of 2224 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2740 wrote to memory of 2224 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\client\BFTLib.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\client\BFTLib.dll
Network
Files
memory/2224-0-0x0000000000810000-0x0000000000886000-memory.dmp
memory/2224-1-0x0000000001D80000-0x0000000002093000-memory.dmp
memory/2224-2-0x00000000020A0000-0x0000000002262000-memory.dmp
memory/2224-3-0x0000000002270000-0x000000000254E000-memory.dmp
memory/2224-4-0x0000000002550000-0x00000000025AB000-memory.dmp
memory/2224-5-0x00000000025B0000-0x000000000265E000-memory.dmp
memory/2224-6-0x0000000000780000-0x00000000007B6000-memory.dmp
memory/2224-7-0x0000000002660000-0x00000000029C4000-memory.dmp
memory/2224-8-0x00000000029D0000-0x00000000029EC000-memory.dmp
Analysis: behavioral20
Detonation Overview
Submitted
2023-12-20 16:19
Reported
2023-12-22 11:14
Platform
win10v2004-20231215-en
Max time kernel
118s
Max time network
154s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4608 wrote to memory of 956 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4608 wrote to memory of 956 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4608 wrote to memory of 956 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\client\BftCryptoApiAdapter32.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\client\BftCryptoApiAdapter32.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 956 -ip 956
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 956 -s 604
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 146.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 138.91.171.81:80 | tcp | |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 114.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral27
Detonation Overview
Submitted
2023-12-20 16:19
Reported
2023-12-22 11:16
Platform
win7-20231215-en
Max time kernel
181s
Max time network
142s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\regsvr32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\client\DocFlow.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\client\DocFlow.dll
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2764 -s 384
Network
Files
memory/2764-0-0x0000000001FB0000-0x0000000002089000-memory.dmp
memory/2764-1-0x0000000002160000-0x00000000024C4000-memory.dmp
memory/2764-2-0x00000000024D0000-0x00000000027AE000-memory.dmp
memory/2764-3-0x0000000000200000-0x000000000025B000-memory.dmp
memory/2764-4-0x00000000027B0000-0x0000000002AC3000-memory.dmp
memory/2764-5-0x0000000002AD0000-0x0000000002C92000-memory.dmp
memory/2764-6-0x0000000000940000-0x00000000009EE000-memory.dmp
memory/2764-7-0x0000000000310000-0x0000000000346000-memory.dmp
memory/2764-8-0x0000000000130000-0x000000000014C000-memory.dmp
memory/2764-9-0x0000000001FB0000-0x0000000002089000-memory.dmp
memory/2764-10-0x0000000050050000-0x000000005064A000-memory.dmp
memory/2764-11-0x0000000050650000-0x0000000050A0E000-memory.dmp
memory/2764-12-0x0000000002160000-0x00000000024C4000-memory.dmp
memory/2764-14-0x00000000513F0000-0x0000000051456000-memory.dmp
memory/2764-13-0x0000000050CF0000-0x0000000050D8C000-memory.dmp
memory/2764-15-0x00000000024D0000-0x00000000027AE000-memory.dmp
memory/2764-16-0x0000000050D90000-0x0000000050FDE000-memory.dmp
memory/2764-18-0x00000000027B0000-0x0000000002AC3000-memory.dmp
memory/2764-17-0x0000000000200000-0x000000000025B000-memory.dmp
memory/2764-19-0x0000000051B90000-0x0000000051C4F000-memory.dmp
memory/2764-20-0x0000000050FE0000-0x0000000051027000-memory.dmp
memory/2764-21-0x0000000050A10000-0x0000000050A56000-memory.dmp
memory/2764-22-0x0000000002AD0000-0x0000000002C92000-memory.dmp
memory/2764-23-0x0000000051350000-0x00000000513A1000-memory.dmp
memory/2764-24-0x00000000510C0000-0x0000000051346000-memory.dmp
memory/2764-26-0x0000000000940000-0x00000000009EE000-memory.dmp
memory/2764-25-0x0000000051050000-0x00000000510B9000-memory.dmp
memory/2764-27-0x0000000000310000-0x0000000000346000-memory.dmp
memory/2764-28-0x0000000000130000-0x000000000014C000-memory.dmp
Analysis: behavioral9
Detonation Overview
Submitted
2023-12-20 16:19
Reported
2023-12-22 11:15
Platform
win7-20231215-en
Max time kernel
122s
Max time network
134s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2820 wrote to memory of 2848 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2820 wrote to memory of 2848 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2820 wrote to memory of 2848 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2820 wrote to memory of 2848 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2820 wrote to memory of 2848 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2820 wrote to memory of 2848 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2820 wrote to memory of 2848 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\client\Azk2ClientPack.dll,#1
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\client\Azk2ClientPack.dll,#1
Network
Files
memory/2848-0-0x0000000001FD0000-0x000000000217C000-memory.dmp
memory/2848-1-0x0000000002180000-0x0000000002493000-memory.dmp
memory/2848-3-0x0000000002670000-0x000000000294E000-memory.dmp
memory/2848-2-0x00000000024A0000-0x0000000002662000-memory.dmp
memory/2848-4-0x00000000003A0000-0x00000000003FB000-memory.dmp
memory/2848-5-0x0000000000450000-0x00000000004FE000-memory.dmp
memory/2848-6-0x0000000002950000-0x0000000002CB4000-memory.dmp
memory/2848-7-0x0000000000130000-0x000000000014C000-memory.dmp
Analysis: behavioral13
Detonation Overview
Submitted
2023-12-20 16:19
Reported
2023-12-22 11:14
Platform
win7-20231215-en
Max time kernel
121s
Max time network
124s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2064 wrote to memory of 2224 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2064 wrote to memory of 2224 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2064 wrote to memory of 2224 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2064 wrote to memory of 2224 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2064 wrote to memory of 2224 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2064 wrote to memory of 2224 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2064 wrote to memory of 2224 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\client\Azk2ExpensePack.dll,#1
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\client\Azk2ExpensePack.dll,#1
Network
Files
memory/2224-9-0x0000000002D10000-0x0000000002EBC000-memory.dmp
memory/2224-8-0x00000000001D0000-0x00000000001EC000-memory.dmp
memory/2224-7-0x00000000029A0000-0x0000000002D04000-memory.dmp
memory/2224-6-0x0000000000180000-0x00000000001B6000-memory.dmp
memory/2224-5-0x00000000028F0000-0x000000000299E000-memory.dmp
memory/2224-4-0x0000000002720000-0x00000000028E2000-memory.dmp
memory/2224-3-0x0000000002400000-0x0000000002713000-memory.dmp
memory/2224-2-0x0000000000260000-0x00000000002BB000-memory.dmp
memory/2224-1-0x0000000002120000-0x00000000023FE000-memory.dmp
memory/2224-0-0x0000000001F60000-0x000000000208B000-memory.dmp
Analysis: behavioral14
Detonation Overview
Submitted
2023-12-20 16:19
Reported
2023-12-22 11:16
Platform
win10v2004-20231215-en
Max time kernel
141s
Max time network
206s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3500 wrote to memory of 792 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3500 wrote to memory of 792 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3500 wrote to memory of 792 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\client\Azk2ExpensePack.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\client\Azk2ExpensePack.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 3.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.53.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 226.162.46.104.in-addr.arpa | udp |
Files
memory/792-0-0x0000000002D90000-0x000000000306E000-memory.dmp
memory/792-2-0x0000000003390000-0x0000000003552000-memory.dmp
memory/792-1-0x0000000003070000-0x0000000003383000-memory.dmp
memory/792-5-0x0000000001570000-0x00000000015CB000-memory.dmp
memory/792-4-0x00000000036C0000-0x0000000003A24000-memory.dmp
memory/792-6-0x0000000003A30000-0x0000000003BDC000-memory.dmp
memory/792-3-0x0000000003610000-0x00000000036BE000-memory.dmp
memory/792-7-0x0000000003BE0000-0x0000000003C16000-memory.dmp
memory/792-8-0x0000000003560000-0x000000000357C000-memory.dmp
memory/792-9-0x0000000000400000-0x000000000052B000-memory.dmp
memory/792-10-0x0000000050050000-0x000000005064A000-memory.dmp
memory/792-11-0x0000000050650000-0x0000000050A0E000-memory.dmp
memory/792-12-0x0000000050CF0000-0x0000000050D8C000-memory.dmp
memory/792-14-0x0000000050A10000-0x0000000050A56000-memory.dmp
memory/792-13-0x00000000513F0000-0x0000000051456000-memory.dmp
memory/792-15-0x0000000051350000-0x00000000513A1000-memory.dmp
memory/792-16-0x00000000510C0000-0x0000000051346000-memory.dmp
memory/792-18-0x0000000050D90000-0x0000000050FDE000-memory.dmp
memory/792-17-0x0000000051050000-0x00000000510B9000-memory.dmp
memory/792-19-0x0000000002D90000-0x000000000306E000-memory.dmp
memory/792-20-0x0000000003070000-0x0000000003383000-memory.dmp
memory/792-21-0x0000000003390000-0x0000000003552000-memory.dmp
memory/792-22-0x0000000003610000-0x00000000036BE000-memory.dmp
memory/792-23-0x00000000036C0000-0x0000000003A24000-memory.dmp
memory/792-24-0x0000000001570000-0x00000000015CB000-memory.dmp
memory/792-25-0x0000000003A30000-0x0000000003BDC000-memory.dmp
memory/792-28-0x0000000050FE0000-0x0000000051027000-memory.dmp
memory/792-27-0x0000000051B90000-0x0000000051C4F000-memory.dmp
memory/792-26-0x0000000003BE0000-0x0000000003C16000-memory.dmp
memory/792-29-0x0000000003560000-0x000000000357C000-memory.dmp
memory/792-31-0x0000000050050000-0x000000005064A000-memory.dmp
memory/792-61-0x0000000002D90000-0x000000000306E000-memory.dmp
Analysis: behavioral30
Detonation Overview
Submitted
2023-12-20 16:19
Reported
2023-12-22 11:15
Platform
win10v2004-20231215-en
Max time kernel
134s
Max time network
172s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1388 wrote to memory of 784 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1388 wrote to memory of 784 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1388 wrote to memory of 784 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\client\Ehlib.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\client\Ehlib.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 138.91.171.81:80 | tcp | |
| US | 8.8.8.8:53 | 18.53.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 6.173.189.20.in-addr.arpa | udp |
Files
memory/784-0-0x00000000024E0000-0x00000000027BE000-memory.dmp