Malware Analysis Report

2024-10-19 08:28

Sample ID 240125-v621dscgbj
Target 751c64c056a67fc81509f11e3eb0db9b
SHA256 03e5cf3de2e2fc57a9239fcf1067de02646308e2df9d8376ac99949fe34d5673
Tags
kinsing loader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

03e5cf3de2e2fc57a9239fcf1067de02646308e2df9d8376ac99949fe34d5673

Threat Level: Known bad

The file 751c64c056a67fc81509f11e3eb0db9b was found to be: Known bad.

Malicious Activity Summary

kinsing loader

Kinsing

Program crash

Unsigned PE

Modifies registry class

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-01-25 17:37

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral26

Detonation Overview

Submitted

2024-01-25 17:36

Reported

2024-01-25 17:39

Platform

win10v2004-20231222-en

Max time kernel

144s

Max time network

146s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\91See_QuickView\mfcm80u.dll,#1

Signatures

Kinsing

loader kinsing

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2548 wrote to memory of 4396 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2548 wrote to memory of 4396 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2548 wrote to memory of 4396 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\91See_QuickView\mfcm80u.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\91See_QuickView\mfcm80u.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 28.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 12.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-25 17:36

Reported

2024-01-25 17:39

Platform

win10v2004-20231222-en

Max time kernel

90s

Max time network

149s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\91See_QuickView\91See.dll,#1

Signatures

Kinsing

loader kinsing

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1048 wrote to memory of 2636 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1048 wrote to memory of 2636 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1048 wrote to memory of 2636 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\91See_QuickView\91See.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\91See_QuickView\91See.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 138.91.171.81:80 tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 28.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-01-25 17:36

Reported

2024-01-25 17:39

Platform

win10v2004-20231215-en

Max time kernel

141s

Max time network

155s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\91See_QuickView\SliderAutoPlay.dll,#1

Signatures

Kinsing

loader kinsing

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1636 wrote to memory of 3816 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1636 wrote to memory of 3816 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1636 wrote to memory of 3816 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\91See_QuickView\SliderAutoPlay.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\91See_QuickView\SliderAutoPlay.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3816 -ip 3816

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3816 -s 664

Network

Country Destination Domain Proto
US 138.91.171.81:80 tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 13.173.189.20.in-addr.arpa udp

Files

memory/3816-0-0x00000000024F0000-0x0000000002503000-memory.dmp

memory/3816-2-0x0000000060900000-0x0000000060969000-memory.dmp

Analysis: behavioral16

Detonation Overview

Submitted

2024-01-25 17:36

Reported

2024-01-25 17:39

Platform

win10v2004-20231215-en

Max time kernel

144s

Max time network

150s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\91See_QuickView\ThreadTreeDLL.dll,#1

Signatures

Kinsing

loader kinsing

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3720 wrote to memory of 4436 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3720 wrote to memory of 4436 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3720 wrote to memory of 4436 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\91See_QuickView\ThreadTreeDLL.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\91See_QuickView\ThreadTreeDLL.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4436 -ip 4436

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4436 -s 612

Network

Country Destination Domain Proto
US 20.231.121.79:80 tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 148.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 28.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 1.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-01-25 17:36

Reported

2024-01-25 17:39

Platform

win7-20231215-en

Max time kernel

118s

Max time network

119s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\91See_QuickView\mfcm80.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1904 wrote to memory of 1740 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1904 wrote to memory of 1740 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1904 wrote to memory of 1740 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1904 wrote to memory of 1740 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1904 wrote to memory of 1740 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1904 wrote to memory of 1740 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1904 wrote to memory of 1740 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\91See_QuickView\mfcm80.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\91See_QuickView\mfcm80.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral29

Detonation Overview

Submitted

2024-01-25 17:36

Reported

2024-01-25 17:39

Platform

win7-20231215-en

Max time kernel

117s

Max time network

118s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\91See_QuickView\msvcp80.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1572 wrote to memory of 2968 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1572 wrote to memory of 2968 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1572 wrote to memory of 2968 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1572 wrote to memory of 2968 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1572 wrote to memory of 2968 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1572 wrote to memory of 2968 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1572 wrote to memory of 2968 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\91See_QuickView\msvcp80.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\91See_QuickView\msvcp80.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-01-25 17:36

Reported

2024-01-25 17:39

Platform

win10v2004-20231222-en

Max time kernel

144s

Max time network

146s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\91See_QuickView\FAMgr.dll,#1

Signatures

Kinsing

loader kinsing

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1876 wrote to memory of 5088 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1876 wrote to memory of 5088 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1876 wrote to memory of 5088 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\91See_QuickView\FAMgr.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\91See_QuickView\FAMgr.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 23.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 104.193.132.51.in-addr.arpa udp

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-01-25 17:36

Reported

2024-01-25 17:39

Platform

win10v2004-20231215-en

Max time kernel

139s

Max time network

161s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\91See_QuickView\mfc80.dll,#1

Signatures

Kinsing

loader kinsing

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5032 wrote to memory of 904 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5032 wrote to memory of 904 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5032 wrote to memory of 904 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\91See_QuickView\mfc80.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\91See_QuickView\mfc80.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 28.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2024-01-25 17:36

Reported

2024-01-25 17:39

Platform

win7-20231215-en

Max time kernel

117s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\91See_QuickView\mfcm80u.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2436 wrote to memory of 1876 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2436 wrote to memory of 1876 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2436 wrote to memory of 1876 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2436 wrote to memory of 1876 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2436 wrote to memory of 1876 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2436 wrote to memory of 1876 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2436 wrote to memory of 1876 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\91See_QuickView\mfcm80u.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\91See_QuickView\mfcm80u.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-01-25 17:36

Reported

2024-01-25 17:39

Platform

win7-20231129-en

Max time kernel

117s

Max time network

119s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\91See_QuickView\mfc80.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2372 wrote to memory of 3056 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2372 wrote to memory of 3056 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2372 wrote to memory of 3056 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2372 wrote to memory of 3056 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2372 wrote to memory of 3056 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2372 wrote to memory of 3056 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2372 wrote to memory of 3056 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\91See_QuickView\mfc80.dll,#1

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\91See_QuickView\mfc80.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-01-25 17:36

Reported

2024-01-25 17:39

Platform

win7-20231215-en

Max time kernel

121s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\91See_QuickView\mfc80u.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1568 wrote to memory of 1352 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1568 wrote to memory of 1352 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1568 wrote to memory of 1352 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1568 wrote to memory of 1352 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1568 wrote to memory of 1352 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1568 wrote to memory of 1352 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1568 wrote to memory of 1352 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\91See_QuickView\mfc80u.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\91See_QuickView\mfc80u.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-01-25 17:36

Reported

2024-01-25 17:39

Platform

win10v2004-20231215-en

Max time kernel

145s

Max time network

155s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\91See_QuickView\mfc80u.dll,#1

Signatures

Kinsing

loader kinsing

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4964 wrote to memory of 2588 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4964 wrote to memory of 2588 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4964 wrote to memory of 2588 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\91See_QuickView\mfc80u.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\91See_QuickView\mfc80u.dll,#1

Network

Country Destination Domain Proto
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 84.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 28.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 1.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-01-25 17:36

Reported

2024-01-25 17:39

Platform

win10v2004-20231215-en

Max time kernel

147s

Max time network

163s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\91See_QuickView\DecodeEx.dll,#1

Signatures

Kinsing

loader kinsing

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2984 wrote to memory of 2148 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2984 wrote to memory of 2148 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2984 wrote to memory of 2148 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\91See_QuickView\DecodeEx.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\91See_QuickView\DecodeEx.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2148 -ip 2148

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2148 -s 624

Network

Country Destination Domain Proto
US 20.231.121.79:80 tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 28.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 192.98.74.40.in-addr.arpa udp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-01-25 17:36

Reported

2024-01-25 17:39

Platform

win7-20231215-en

Max time kernel

120s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\91See_QuickView\LangTranslate.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2332 wrote to memory of 2352 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2332 wrote to memory of 2352 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2332 wrote to memory of 2352 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2332 wrote to memory of 2352 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2332 wrote to memory of 2352 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2332 wrote to memory of 2352 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2332 wrote to memory of 2352 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\91See_QuickView\LangTranslate.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\91See_QuickView\LangTranslate.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-01-25 17:36

Reported

2024-01-25 17:39

Platform

win10v2004-20231222-en

Max time kernel

91s

Max time network

149s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\91See_QuickView\LangTranslate.dll,#1

Signatures

Kinsing

loader kinsing

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4488 wrote to memory of 2324 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4488 wrote to memory of 2324 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4488 wrote to memory of 2324 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\91See_QuickView\LangTranslate.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\91See_QuickView\LangTranslate.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 23.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-01-25 17:36

Reported

2024-01-25 17:39

Platform

win10v2004-20231222-en

Max time kernel

90s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\91See_QuickView\TransDlgDLL.dll,#1

Signatures

Kinsing

loader kinsing

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4664 wrote to memory of 5020 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4664 wrote to memory of 5020 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4664 wrote to memory of 5020 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\91See_QuickView\TransDlgDLL.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\91See_QuickView\TransDlgDLL.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5020 -ip 5020

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 672

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 23.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-01-25 17:36

Reported

2024-01-25 17:39

Platform

win7-20231215-en

Max time kernel

142s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\91See_QuickView\SliderAutoPlay.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\91See_QuickView\SliderAutoPlay.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\91See_QuickView\SliderAutoPlay.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2300 -s 276

Network

N/A

Files

memory/2300-0-0x0000000000100000-0x0000000000113000-memory.dmp

memory/2300-2-0x0000000060900000-0x0000000060969000-memory.dmp

Analysis: behavioral17

Detonation Overview

Submitted

2024-01-25 17:36

Reported

2024-01-25 17:39

Platform

win7-20231215-en

Max time kernel

119s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\91See_QuickView\TransDlgDLL.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\91See_QuickView\TransDlgDLL.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\91See_QuickView\TransDlgDLL.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2092 -s 268

Network

N/A

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2024-01-25 17:36

Reported

2024-01-25 17:39

Platform

win7-20231129-en

Max time kernel

117s

Max time network

118s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\91See_QuickView\msvcm80.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1704 wrote to memory of 2128 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1704 wrote to memory of 2128 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1704 wrote to memory of 2128 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1704 wrote to memory of 2128 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1704 wrote to memory of 2128 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1704 wrote to memory of 2128 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1704 wrote to memory of 2128 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\91See_QuickView\msvcm80.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\91See_QuickView\msvcm80.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral31

Detonation Overview

Submitted

2024-01-25 17:36

Reported

2024-01-25 17:39

Platform

win7-20231129-en

Max time kernel

120s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\91See_QuickView\msvcr80.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2076 wrote to memory of 2272 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2076 wrote to memory of 2272 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2076 wrote to memory of 2272 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2076 wrote to memory of 2272 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2076 wrote to memory of 2272 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2076 wrote to memory of 2272 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2076 wrote to memory of 2272 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\91See_QuickView\msvcr80.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\91See_QuickView\msvcr80.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-01-25 17:36

Reported

2024-01-25 17:39

Platform

win7-20231215-en

Max time kernel

120s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\91See_QuickView\FAMgr.dll,#1

Signatures

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.ARW C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.DDS C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.TIF C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.3fr C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.BMP C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.iiq C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.MEF C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.ICON C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.pam C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.DCR C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.KDC C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.ICO C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.PPM C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.pxn C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.RW2 C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.x3f C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.CAP C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.PNG C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.TGA C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.TIFF C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.PBM C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.CRW C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.MOS C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.WMF C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.eip C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.PCX C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.drf C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.k25 C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.SRF C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.SR2 C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.RW1 C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.EMF C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.JPG C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.pfm C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.ERF C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.ptx C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.r3d C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.RAW C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.JPEG C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.nrw C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.RAF C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.DNG C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.GIF C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.PGM C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.dcs C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.PEF C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.PSD C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.ORF C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.CUR C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.MRW C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.NEF C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.FFF C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.RWZ C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.pnm C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.CR2 C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bay C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.DCX C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2120 wrote to memory of 1020 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2120 wrote to memory of 1020 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2120 wrote to memory of 1020 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2120 wrote to memory of 1020 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2120 wrote to memory of 1020 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2120 wrote to memory of 1020 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2120 wrote to memory of 1020 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\91See_QuickView\FAMgr.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\91See_QuickView\FAMgr.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-01-25 17:36

Reported

2024-01-25 17:39

Platform

win7-20231215-en

Max time kernel

118s

Max time network

120s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\91See_QuickView\ThreadTreeDLL.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\91See_QuickView\ThreadTreeDLL.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\91See_QuickView\ThreadTreeDLL.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2532 -s 232

Network

N/A

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-25 17:36

Reported

2024-01-25 17:39

Platform

win7-20231215-en

Max time kernel

117s

Max time network

118s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\91See_QuickView\91See.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2896 wrote to memory of 2524 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2896 wrote to memory of 2524 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2896 wrote to memory of 2524 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2896 wrote to memory of 2524 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2896 wrote to memory of 2524 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2896 wrote to memory of 2524 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2896 wrote to memory of 2524 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\91See_QuickView\91See.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\91See_QuickView\91See.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-01-25 17:36

Reported

2024-01-25 17:39

Platform

win7-20231215-en

Max time kernel

122s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\91See_QuickView\GdiPlus.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\91See_QuickView\GdiPlus.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\91See_QuickView\GdiPlus.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1372 -s 224

Network

N/A

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-01-25 17:36

Reported

2024-01-25 17:39

Platform

win10v2004-20231215-en

Max time kernel

150s

Max time network

160s

Command Line

"C:\Users\Admin\AppData\Local\Temp\91See_QuickView\QuickView.exe"

Signatures

Kinsing

loader kinsing

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\91See_QuickView\QuickView.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91See_QuickView\QuickView.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\91See_QuickView\QuickView.exe

"C:\Users\Admin\AppData\Local\Temp\91See_QuickView\QuickView.exe"

Network

Country Destination Domain Proto
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 4.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 28.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 114.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 12.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp

Files

memory/3180-1-0x0000000000A40000-0x0000000000A59000-memory.dmp

memory/3180-0-0x0000000000A20000-0x0000000000A33000-memory.dmp

memory/3180-4-0x0000000000A60000-0x0000000000A6F000-memory.dmp

memory/3180-6-0x0000000000AA0000-0x0000000000ABA000-memory.dmp

memory/3180-5-0x0000000000A80000-0x0000000000A93000-memory.dmp

memory/3180-11-0x0000000060900000-0x0000000060969000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-01-25 17:36

Reported

2024-01-25 17:39

Platform

win7-20231215-en

Max time kernel

118s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\91See_QuickView\DecodeEx.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\91See_QuickView\DecodeEx.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\91See_QuickView\DecodeEx.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2900 -s 236

Network

N/A

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-01-25 17:36

Reported

2024-01-25 17:39

Platform

win10v2004-20231215-en

Max time kernel

91s

Max time network

149s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\91See_QuickView\GdiPlus.dll,#1

Signatures

Kinsing

loader kinsing

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3268 wrote to memory of 3612 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3268 wrote to memory of 3612 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3268 wrote to memory of 3612 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\91See_QuickView\GdiPlus.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\91See_QuickView\GdiPlus.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3612 -ip 3612

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3612 -s 624

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 148.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 28.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp

Files

N/A

Analysis: behavioral28

Detonation Overview

Submitted

2024-01-25 17:36

Reported

2024-01-25 17:39

Platform

win10v2004-20231215-en

Max time kernel

136s

Max time network

157s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\91See_QuickView\msvcm80.dll,#1

Signatures

Kinsing

loader kinsing

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1204 wrote to memory of 3824 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1204 wrote to memory of 3824 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1204 wrote to memory of 3824 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\91See_QuickView\msvcm80.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\91See_QuickView\msvcm80.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 28.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 167.166.122.92.in-addr.arpa udp
US 8.8.8.8:53 7.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral30

Detonation Overview

Submitted

2024-01-25 17:36

Reported

2024-01-25 17:39

Platform

win10v2004-20231222-en

Max time kernel

90s

Max time network

149s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\91See_QuickView\msvcp80.dll,#1

Signatures

Kinsing

loader kinsing

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1000 wrote to memory of 1568 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1000 wrote to memory of 1568 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1000 wrote to memory of 1568 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\91See_QuickView\msvcp80.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\91See_QuickView\msvcp80.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 148.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 23.160.77.104.in-addr.arpa udp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-01-25 17:36

Reported

2024-01-25 17:39

Platform

win7-20231129-en

Max time kernel

140s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\91See_QuickView\QuickView.exe"

Signatures

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\91See_QuickView\QuickView.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91See_QuickView\QuickView.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\91See_QuickView\QuickView.exe

"C:\Users\Admin\AppData\Local\Temp\91See_QuickView\QuickView.exe"

Network

N/A

Files

memory/2376-0-0x00000000001C0000-0x00000000001D9000-memory.dmp

memory/2376-2-0x00000000001E0000-0x00000000001F3000-memory.dmp

memory/2376-4-0x0000000000210000-0x000000000021F000-memory.dmp

memory/2376-5-0x00000000002B0000-0x00000000002C3000-memory.dmp

memory/2376-7-0x00000000002E0000-0x00000000002FA000-memory.dmp

memory/2376-11-0x0000000060900000-0x0000000060969000-memory.dmp

Analysis: behavioral24

Detonation Overview

Submitted

2024-01-25 17:36

Reported

2024-01-25 17:39

Platform

win10v2004-20231215-en

Max time kernel

141s

Max time network

150s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\91See_QuickView\mfcm80.dll,#1

Signatures

Kinsing

loader kinsing

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2536 wrote to memory of 3948 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2536 wrote to memory of 3948 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2536 wrote to memory of 3948 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\91See_QuickView\mfcm80.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\91See_QuickView\mfcm80.dll,#1

Network

Country Destination Domain Proto
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 28.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 6.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral32

Detonation Overview

Submitted

2024-01-25 17:36

Reported

2024-01-25 17:39

Platform

win10v2004-20231222-en

Max time kernel

91s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\91See_QuickView\msvcr80.dll,#1

Signatures

Kinsing

loader kinsing

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4328 wrote to memory of 4180 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4328 wrote to memory of 4180 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4328 wrote to memory of 4180 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\91See_QuickView\msvcr80.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\91See_QuickView\msvcr80.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 21.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 23.160.77.104.in-addr.arpa udp

Files

N/A